####################################################################

# Exploit Title : TinyMCE JBimages Plugin 3.x JustBoilMe Arbitrary File Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 14/02/2019
# Vendor Homepage : justboil.marketto.ru ~ tiny.cloud
# Software Download Link : github.com/28harishkumar/blog/tree/master/public/js/tinymce
# Software Information Link : tiny.cloud/docs/plugins/
# Software Affected Version : 3.x /4.x / 5.x and Free Version
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : High
# Vulnerability Type : CWE-89 [ Improper Neutralization of 
Special Elements used in an SQL Command ('SQL Injection') ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Description about Software :
***************************
One Click Image Upload for TinyMCE JBimages Plugin Version 5 and previous versions.

JustBoil.me Images is a simple, elegant image upload plugin for TinyMCE. 

It is free, opensource and licensed under Creative Commons Attribution 3.0 Unported License.

####################################################################

# Impact :
***********
TinyMCE JBimages Plugin is prone to a vulnerability that lets attackers upload arbitrary files 

it fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and execute it 

in the context of the webserver process. This may facilitate unauthorized access 

or privilege escalation; other attacks are also possible.

Remote attackers can use browsers to exploit and they can request target sites via URL.

This issue may allow attackers to place malicious scripts on a server, which can lead to various attacks.

####################################################################

# Vulnerable Source Code :
************************
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
	<title>Upload an image</title>
	<script type="text/javascript" src="js/dialog-v4.js"></script>
	<link href="css/dialog-v4.css" rel="stylesheet" type="text/css">
</head>
<body>

	<form class="form-inline" id="upl" name="upl" action="ci/index.php?upload/english" method="post" enctype="multipart/form-data" target="upload_target" onsubmit="jbImagesDialog.inProgress();">
		
		<div id="upload_in_progress" class="upload_infobar"><img src="img/spinner.gif" width="16" height="16" class="spinner">Upload in progress&hellip; <div id="upload_additional_info"></div></div>
		<div id="upload_infobar" class="upload_infobar"></div>	
		
		<p id="upload_form_container">
			<input id="uploader" name="userfile" type="file" class="jbFileBox" onChange="document.upl.submit(); jbImagesDialog.inProgress();">
		</p>
		
		<p id="the_plugin_name"><a href="http://justboil.me/" target="_blank" title="JustBoil.me &mdash; a TinyMCE Images Upload Plugin">JustBoil.me Images Plugin</a></p>
	
	</form>

	<iframe id="upload_target" name="upload_target" src="ci/index.php?blank"></iframe>

</body>
</html>

# Arbitrary File Upload Exploits :
****************************
/tinymce/plugins/jbimages/dialog.htm

/admin/includes/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm

/Administration/Content/tinymce/plugins/jbimages/dialog-v4.htm

/js/tinymce/plugins/jbimages/dialog-v4.htm

/live/_painel/textare/tinymce/plugins/jbimages/dialog-v4.htm

/scripts/tinymce/plugins/jbimages/dialog-v4.htm

/vendor/tinymce/plugins/jbimages/dialog-v4.htm

/user_data/tinymce/plugins/jbimages/dialog-v4.htm

/adm/sistema/aplicativo/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm

/app/webroot/js/tinymce/plugins/jbimages/dialog-v4.htm

/main/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm

/assets/plugins-new/tinymce/plugins/jbimages/dialog-v4.htm

/media/tinymce/plugins/jbimages/dialog-v4.htm

/site/public/scripts/tinymce/plugins/jbimages/dialog-v4.htm

/king-admin/tinymce/plugins/jbimages/dialog-v4.htm

/assets/js/tinymce/plugins/jbimages/dialog-v4.htm

/assets/frontend/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm

/assets/includes/tinymce/plugins/jbimages/dialog-v4.htm

/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/dialog.htm

/ojs/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/dialog.htm

/ojsinvestigacion/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/dialog.htm

/revista/lib/pkp/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/dialog.htm

/themes/admin/vendors/bower_components/tinymce/plugins/jbimages/dialog-v4.htm

/wp-content/themes/career-grooms/assets/js/tinymce/plugins/jbimages/dialog-v4.htm

/wp-content/plugins/Soci_Traffic_Pro/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm

/static/admin/plugin/tinymce/plugins/jbimages/dialog-v4.htm

/extras/admin/js/tiny_mce/plugins/jbimages/dialog.htm

/tinymce/plugins/jbimages/dialog-v4.htm

/system/js/libs/tiny_mce/plugins/jbimages/dialog.htm

/ressources/js/tinymce/plugins/jbimages/dialog-v4.htm

/admin.[DOMAIN-ADRESS-HERE].com/app/template/js/tinymce/plugins/jbimages/dialog-v4.htm

/data/control/js/tinymce/plugins/jbimages/dialog-v4.htm

/js/vendor/tinymce/plugins/jbimages/dialog-v4.htm

/text_editor/jscripts/tiny_mce/plugins/jbimages/dialog.htm

/public/js/tiny_mce/plugins/jbimages/dialog.htm

/cms/assets/js/tiny_mce/plugins/jbimages/dialog.htm

/assets/bower_components/tinymce/plugins/jbimages/dialog-v4.htm

/content/admin/javascript/tinymce/plugins/jbimages/

/preview/assets/admin/tinymce/plugins/jbimages/dialog-v4.htm

/content/tinymce/plugins/jbimages/dialog-v4.htm

/public/webroot/js/tinymce/plugins/jbimages/dialog-v4.htm

/vendor/tinymce/plugins/jbimages/dialog-v4.htm

/sapred/bibliotecas/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm

/assets/backend/tinymce/plugins/jbimages/dialog-v4.htm

/media/tinymce/plugins/jbimages/dialog-v4.htm

/loja/app/webroot/js/tinymce/plugins/jbimages/dialog-v4.htm

/httpdocs-bak/httpdocs/tinymce/plugins/jbimages/dialog-v4.htm

/nextgest/assets/js/tinymce/plugins/jbimages/dialog-v4.htm

/assets/tinymce/plugins/jbimages/dialog-v4.htm

/public/content/tinymce/plugins/jbimages/dialog-v4.htm

/apps/ownnote/js/tinymce/plugins/jbimages/dialog-v4.htm

/common/admin/js/tinymce/plugins/jbimages/dialog-v4.htm

/socialDev1/externals/tinymce/plugins/jbimages/dialog-v4.htm

/kutaibarat/js/tinymce/plugins/jbimages/dialog-v4.htm

/v02/assets/js/tinymce/plugins/jbimages/dialog-v4.htm

/Lukas/js/tinymce/plugins/jbimages/dialog-v4.htm

/Lukas/js/tinymce/plugins/jbimages/dialog.htm

/3adminp/js/tinymce/plugins/jbimages/dialog-v4.htm

/content/tinymce/plugins/jbimages/dialog-v4.htm

/view/js/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm

/ieee-cis/assets/tinymce/plugins/jbimages/dialog-v4.htm

/resources_xt/FW/scripts/tinymce-4.2.6/plugins/jbimages/dialog-v4.htm

/store/lib/tinymce/jscripts/tiny_mce/plugins/jbimages/dialog-v4.htm

/wp-includes/js/tinymce/plugins/jbimages/dialog-v4.htm

/engine/application/views/admin/template/resources/js/tinymce/plugins/jbimages/dialog-v4.htm

/w3skills/editor/plugins/jbimages/dialog-v4.htm

/web/utils/templates/tinymce/js/tinymce/plugins/jbimages/dialog-v4.htm

/plugins/tiny_mce/plugins/jbimages/dialog-v4.htm

/application/views/admin/assets/js/TinyMCE/tiny_mce/plugins/jbimages/dialog.htm

/site/assets/grocery_crud/texteditor/tiny_mce/plugins/jbimages/dialog-v4.htm

/site/assets/grocery_crud/texteditor/tiny_mce/plugins/jbimages/dialog.htm

/App_Themes/Homevestors/Libs/js/tinymce4.7/plugins/jbimages/dialog.htm

/admin/inc/tiny_mce/plugins/jbimages/dialog.htm

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################