Wordocs Israel FCKeditor Shell Upload

2012-09-04T00:00:00
ID PACKETSTORM:116213
Type packetstorm
Reporter Net.Edit0r
Modified 2012-09-04T00:00:00

Description

                                        
                                            `----------------------------------------------------------------  
Wordocs Israel FCKeditor Shell Upload Disclosure Vulnerabilities  
----------------------------------------------------------------  
  
# Exploit Title: Wordocs Israel FCKeditor Shell Upload Disclosure  
Vulnerabilities  
# Google Dork: inurl:/files/wordocs/ site:il  
# Application Name: [Wordocs Israel]  
# Date: 2012-09-04  
# Author: BHG Security Center  
# Home: http://cc.black-hg.org - http://greyh4t.com/cc/  
# Version: [ 0.4.1.16 ]  
# Impact : [ High ]  
# Tested on: [linux+apache]  
# CVE : Webapps  
# Finder(s):  
- Net.Edit0r (Net.Edit0r [at] att [dot] net)  
  
# Note: Please note there is a vulnerability in the site of  
non-Israeli  
# Description: : You can directly upload your shellcode and use server  
  
+-----------------------+  
| Shellcode Upload |  
+-----------------------+  
  
The vulnerable code is located in  
/FCKeditor/editor/plugins/uploadme/fck_uploadme.php  
  
Proof of Concept:  
-----------------  
  
~ PoC : http://localhost/FCKeditor/editor/plugins/uploadme/fck_uploadme.php  
  
  
~ File upload path : http://[Target]/files/wordocs/shell.php  
  
~~~~~~~~ Demo :  
http://facet-theory.org/FCKeditor/editor/plugins/uploadme/fck_uploadme.php  
  
~ Study of Vulnerability : http://www.mediafire.com/?qedv4dq6b4yfqcz  
  
  
[-] Disclosure timeline:  
  
[04/08/2011] - Vulnerabilities discovered  
[14/10/2011] - Others vulnerabilities discovered  
[15/10/2011] - Issues reported to http://black-hg.org  
[04/09/2012] - Public disclosure  
  
  
# Greets To :  
  
Net.Edit0r ~ A.Cr0x ~ 3H34N ~ G3n3Rall ~ l4tr0d3ctism ~ NoL1m1t  
  
~ Mr.XHat THANKS TO ALL Iranian HackerZ ./Persian Gulf  
  
===========================================[End]=============================================  
`