hello Guys I'm Back with Another Remote Upload Vulnerability, its TinyMCE ajaxfilemanager,
Lets Start 
Open Google.com and enter this dork 
images (150×113)"tiny_mce/plugins/ajaxfilemanager"
select any website from search search results
the vuln website will be like this http://site.com/[path]/jscripts/tiny_mce/plugins/ajaxfilemanager/ajaxfilemanager.php
you can upload .txt],[.jpg],[gif],[bmp] files here ... you can upload your shell in some sites as php;.jpg but in most sites you can upload txt deface only :|

You'll see your uploded file here 
or http://site.com/uploded/tmp/yourfilehere 
Note: The Path May be chnaged in other websites, I' Not sure about it ,so comment here if you did not found your uploded file in any site 

Live demo :- http://www.thebradshawscornershop.co.uk/scripts/tiny_mce/plugins/ajaxfilemanager/ajaxfilemanager.php#

Uploded file :- http://www.thebradshawscornershop.co.uk/images/hacked_by_minhal.txt


  1. tosslove:

    Yeah dude :p u're so right i've been hacked so i'll restore backup and disable plugins :)

  2. This comment has been removed by a blog administrator.


If you're having issues, Please leave an email address I can contact you on -
I advise you to also "subscribe to the comment feed" and get email updates when I respond to your question.

Hyperlinks are not allowed, Spam/advertising comments will NEVER BE TOLERATED and will be deleted immediately!

Thanks for reading,