ExploitFixes
CKEditor 3.6.1 File Upload Vulnerability 2012-09-17 19:43:20
Posted by: dementor

#############################
## Exploit Title : CKEditor 3.6.1 File Upload Vulnerability
## Author : Mr.Dementor
## Home : http://www.magetan-it.org/
## Contact : [email protected]
## Software Link : http://ckeditor.com
## Security Risk : High
## Version : 3.6.1
## Tested on : Win7
## Dork : N/A

#Description : This bug allow attacker to upload shell backdoor in all extension. The uploader program does not filter file extension. Finally, you can upload your shell easily without tampering HTTP/Header or MiTM.

#Exploit :
Go to admin panel and upload some backdoor php via CKEditor.

#Vulnerable Code :

#include on editor area
#################################################
<?php
include_once "ckeditor/ckeditor.php";

$CKEditor = new CKEditor();
// Path to the CKEditor directory, ideally use an absolute path instead of a relative dir.
// $CKEditor->basePath = '/ckeditor/'
// If not set, CKEditor will try to detect the correct path.
$CKEditor->basePath = 'ckeditor/';
$CKEditor->config['width'] = 790;
$CKEditor->config['height'] = 500;
$CKEditor->config['extraPlugins'] = "autogrow";
$CKEditor->config['baseHref'] = "../";
$CKEditor->config['filebrowserUploadUrl'] = "upload.php";
$CKEditor->config['filebrowserBrowseUrl'] = "browse.php";
$CKEditor->config['uiColor'] = "#F6F3EA";
$CKEditor->config['enterMode'] = "CKEDITOR.ENTER_BR";
$CKEditor->config['bodyClass'] = "newClean2";
$CKEditor->config['forcePasteAsPlainText'] = "true";

$CKEditor->replace("nbody");
?>
#################################################

#Lets we find upload.php
#################################################
<?
move_uploaded_file($_FILES["upload"]["tmp_name"],"../images/" . $_FILES["upload"]["name"]) or die("File could not be uploaded.");
echo "File Uploaded!";
?>
#################################################




#Notes :
#Where you can find your shell : http://some.target/admin/browse.php?CKEditor=nbody&CKEditorFuncNum=2&langCode=en
# Browse your *.php in the new tab on your browser.
# The uploader script [ upload.php ] only work in pop-up window with "click" action from editor area.

#############################
# Best Greats : Handi Eko Saputro
# Greats : tiaNG_jaWI , aSU_aBANG, Cybertasiex, Detol SevenCrew, De Vinclous, Dany Artha, BL4cKc0d1n6.
#############################