#########################################################################
#
# RoxTeam Italian Hackers And Security Team 2012
#
#
# Exploit Title: SimogeoFilemanager Upload File Vulnerability
# Date: 09/02/2012
# Author: hack`
# Author Email: RoxSecurityTeam[at]com[dot]hotmail.it
# Category: webapps
# Risk: Higt
# Vendor or Software Link: https://github.com/simogeo/Filemanager
# Download Link: https://github.com/simogeo/Filemanager/downloads
# Tested on: Linux
# Google Dork: inurl:/filemanager/userfiles/ filetype:pdf or inurl:/filemanager/index.html
#Proof of Concept :
[-] Vulnerable code in: /filemanager/index.html
[-] Exemple: http://site.com/filemanager/index.html
Step1: Search site that contains the vulnnerable file /filemanager/index.html
Step2: Upload Backdoor Shell.php
Step3: Move to the folder where files are stored /UserFiles/ Exemple: http://site.com/filemanager/UserFiles/Shell.php
Step4: Now you can have full access to your shell ;)
Exemple Site:
http://www.kanu-sachsen-anhalt.de/admin/media/simogeo-Filemanager/index.html
http://www.nusportcentral.co.uk/ckeditor/filemanager/index.html
http://www.kosisi.lv/resursi/ckeditor/filemanager/index.html
Fix Problems: Rename the folder containing the main index and rename the index to your liking
