1260 web sites… Can be HACKED for 5 min

1260 web sites… Can be HACKED for 5 min!

At June 10, 2010 I modified the published FLAW for FCKEDITOR to gain full root access to the 3 biggest Internet services providers in Macedonia.  The hack was working on IIS Web Servers from Microsoft and a Exploited version of open source web based editor FCKEDITOR.

During a penetration test on a web site of our relative I discovered that the hosting server is not well secured. During the scans I discovered that owners of the web server are not informed about the exploit of FCKEDITOR in ASP platform. I contacted the authorities in all regular way to warm them about the exploits but nobody didn’t take my advice serious. After couple of mounts of waiting I released the information public on my BLOG and FACEBOK fun page.  The funniest thing is that same flaws are still remains on that server after 2 years.

For a proof i released the username and password of the web server local administrator credentials marked with asterisk *.

Web server of NEOTEL

Platform: IIS Microsoft.

Ip: 80.77.144.13


user:IUSR_WEBSERVER


pass:GE|-TWRZc*****


domain:80
path:c:inetpubwwwroot


Full Read Write Execute access!

 

Web server of ULTRA

Platform:IIS Microsoft.

Ip:212.13.93-95

user:IUSR_APOLLO


pass:$rEM273#******


domain:80
path: D:wwweb

Full Read Write Execute access!

 

Web server of T-HOME

Platform:IIS Microsoft. |

Ip:195.26.152.200


user: IUSR_WEB3NEW


pass:d4O0Y)JT’*****


domain:80
path: c:inetpubwwwroot

Full Read Write Execute access!

 

 

Proof of concept:

To hack these servers you need to find a web site who is using a FCKEDITOR. For that you can use a google or other search engine with this option: site: MK inurl: FCKEDITOR

After that you need to test the url path of the FCKEDITOR with this modified function:

“browser.html?Type=/././&Connector=connectors/aspx/connector.aspx”

Like you can see here I am asking to list me the Root of the location where FCKEDITOR is installed with “/././” command and the result is this:

Like we can see here the upload manager of FCKEDITOR is ready to do rest for bad guys who can easy install some SHELL or other BACKDOOR tool on this web server finding a proper directory with “write” permission.

 

 

 

 

 

 

 

Resources I used for this hack is :

http://www.exploit-db.com/exploits/1484/

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: