Fckeditor 2.0 <= 2.2 allows files to be uploaded ASA, CER, PHP2, PhP4, Inc, PWML, PHT suffix
After uploading, it saves the file directly using the $sfilepath = $sServerDir. $sFileName, instead of using $sextension as a suffix
Directly resulting in win under the upload file after the add a. To break through [not tested]
In Apache, because the "Apache file name resolution flaw vulnerability" can also be used, see "Appendix A"
It is also recommended that you use the file class to upload files when defining type variables in other upload vulnerabilities, which are limited in their limitations according to FCKeditor code.
Attack Exploits:
Allow any other suffix to upload
Using 2003 path parsing vulnerability to upload a web horse
Impact Version: Appendix B
Vulnerability Description:
Using the 2003 System Path Parsing vulnerability principle, create a directory such as "Bin.asp", and then upload files in this directory can be executed by the script interpreter with the appropriate script permissions.
FCKeditor there is an input validation error while processing a file upload, a remote attack can use this vulnerability to upload arbitrary files.
When uploading files through editor/filemanager/upload/php/upload.php, an attacker can cause an arbitrary script to be uploaded by defining an invalid value for the type parameter.
A successful attack requires file uploads to be enabled in the config.php configuration file, which is disabled by default. Exploit: (Please modify the action field for the specified URL):
FCKeditor "=2.4.2 for php.html
Note: If you want to try the v2.2 version of the vulnerability, you can modify the Type= any value, but notice that if you change the media must be capitalized first letter m, otherwise, Linux, FCKeditor will file directory for the famous school inspection, will not upload success.
type Custom variables arbitrary upload file Vulnerability
Impact Version: Earlier version
Vulnerability Description:
By customizing the parameters of a type variable, you can create or upload files to the specified directory, and there are no restrictions on uploading file formats.
The net horse can be uploaded to the root directory of the website.
Note: If you cannot find the default Upload folder to check this file: Fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp? command=getfoldersandfiles&type=image¤tfolder=/
FCKeditor file Upload "." Bypass method to change "_" Underline
Impact version: FCKeditor => 2.4.x
Vulnerability Description:
We uploaded the file for example: Shell.php.rar or shell.php;. JPG will become shell_php; JPG This is the change of the new FCK.
Attack Exploits:
Submitting 1.php+ spaces can bypass all,
※ However, the space only supports win system *nix is not supported [1.php and 1.php+ spaces are 2 different files]
Note:upload/2010/3/201003102334372778.jpg is filtered in such a format. That is, the IIS6 parsing vulnerability.
Uploaded for the first time. is filtered to 123_asp;123.jpg and cannot be run.
But the 2nd time after uploading the same file 123.asp;123.jpg. Because "123_asp;123.jpg" already exists.
The filename is named 123.asp;123 (1). jpg ... 123.asp;123 (2). jpg the numbering method.
So. The IIS6 vulnerability continues to execute.
If you have not succeeded in testing through the steps above, there are several possible reasons for this:
1.FCKeditor does not have file upload enabled, this feature is turned off by default when installing FCKeditor. If you want to upload a file, FCKeditor will give you the wrong hint.
2. The Web site uses a compact version of the FCKeditor, a thin version of the FCKeditor many features lost, including file upload function.
It is advisable to detect whether the admin_style.asp file can be accessed directly
Default database path: [Path]/db/ewebeditor.mdb
[Path]/db/db.mdb--This database is in some CMS
You can also try [path]/db/%23ewebeditor.mdb--some admin-smart little trick
Use default password: admin/admin888 or admin/admin into the background, you can also try admin/123456 (some administrators and some CMS, this is the set)
Click "Style Management"--you can select new styles, or modify a |asp style, add the type of upload that is allowed by the picture control, plus the following types, |asa, |AASPSP, or |cer, as long as the type of script that the server allows to execute, click "Submit" and set the toolbar--" Insert Picture control on the Add. Then--Preview this style, click Insert Picture, upload Webshell, and view the path of the uploaded file in "code" mode.
2, when the database is modified by the Administrator for ASP, ASA suffix, you can plug in a word trojan server into the database, and then a word Trojan Client connection down Webshell
3. Unable to execute after uploading? Hot pot You go back style management look at the style you edited, you can customize the upload path!!!
4, set the upload type, still upload not? It is estimated that the file code has been changed, you can try to set the "remote type" in accordance with the 6.0 version of the Shell method to do (see below ↓), can set the type of automatic save remote files.
5, can not add toolbars, but set a style of the file type, how to do? ↓ do it!
(Please modify the Action field)
Action.html
Ewebeditor the footprints of the invasion
Vulnerability Description:
When we download the database and query the plaintext of the password MD5, we can go to see Webeditor_style (14) This style sheet, to see if the previous intrusion may have given the ability to upload a script control, the construction of the address to upload our own webshell.
Attack Exploits:
Like id=46 s-name =standard1.
Construction Code: Ewebeditor.asp?id=content&style=standard
ID and and style name changed after
Ewebeditor.asp?id=46&style=standard1
Ewebeditor Traversal Directory Vulnerability
Vulnerability Description:
Ewebeditor/admin_uploadfile.asp
Admin/upload.asp
LAX filtering, resulting in traversal directory vulnerabilities
Attack Exploits:
The first type: ewebeditor/admin_uploadfile.asp?id=14
Add &dir= after id=14 ...
and add &dir=. /..
&dir=http://www.heimian.com/../.. See the entire Web site file.
The second type: Ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir =./.
Ewebeditor 5.2-Column Directory vulnerability
Vulnerability Description:
Ewebeditor/asp/browse.asp
LAX filtering, resulting in traversal directory vulnerabilities
Default table name: Ewebeditor_system default column name: Sys_username, Sys_userpass, and then use NBSI to guess the solution.
eWebEditor2.8.0 final version Remove any file vulnerability
Vulnerability Description:
This vulnerability exists in the delete.asp file in the Example\newssystem directory, which is a Ewebeditor test page that can be entered directly without landing.
Exploit: (Please modify the action field for the specified URL)
Del files.html
Ewebeditor v6.0.0 Upload Vulnerability
Attack Exploits:
Click "Insert Picture" in the editor--Network--Enter the address of your Webshell in a space (note: file name must be: xxx.jpg.asp and so on, OK, click on the "Remote file automatic upload" control (the first upload will prompt you to install the control, just a moment), view " Code "mode to find the file upload path, Access can be, EWeb official demo can do so, but the upload directory to cancel the execution of permissions, so upload can not perform nets horse."
Then three times enter, empty the browser URL, now enter some ordinary access to files such as ... /ewebeditor/admin/default.php, you'll go straight in.
Ewebeditor for php arbitrary file Upload Vulnerability
Impact version: Ewebeditor PHP v3.8 or older version
Vulnerability Description:
This release saves all style configuration information as an array $astyle, and we can add our own favorite style and define the type of upload when php.ini configuration Register_global is on.
Attack Exploits:
Phpupload.html
Ewebeditor JSP Version Vulnerability
Much the same, I do not want to say more in this document, because there is no environmental testing, online dumps so big, not easy to troubleshoot. With the JSP editor I think EWeb will be much less than the FCKeditor share.
Ewebeditor 2.8 Business Edition of a word Trojan
Impact version: =>2.8 Commercial Edition
Attack Exploits:
Login background, click Modify Password---New password set to 1 ": Eval request (" H ") '
After the success of the set, access to the asp/config.asp file, a word Trojan is written to this file inside.
In fact, the so-called bigcneditor is the VIP user version of Ewebeditor 2.7.5. The reason why admin_login.asp is not accessible, suggesting "insufficient authority" 4 mantra, is estimated because of its authorized "licensed" problem, Perhaps only authorized machines are allowed to access the background.
Perhaps the following low-level gestures for ewebeditor v2.8 can be used on this. I don't seem to have much action.
Get Shell with Win 2003 IIS file name Resolution vulnerability
Impact version: <= webhtmleditor final version 1.7 (stopped updating)
Vulnerability Description/Attack utilization:
No renaming operation on uploaded pictures or other files, causing the malicious user to upload diy.asp;. JPG to circumvent the restrictions on the suffix name review, for this kind of editor because of the author's awareness of the mistakes, even if encountered thumbnails, file head detection, you can use the picture Trojan inserted a word to break through.
Test environment: Apache 2.0.53 winxp,apache 2.0.52 Redhat Linux
1. Foreign (SSR team) issued a number of advisory called Apache ' s MIME module (mod_mime) related vulnerabilities, is Attack.php.rar will be used as PHP file implementation of the vulnerability, including discuz! That P11.php.php.php.php.php.php.php.php.php.php.php.php.rar loophole.
2.S4T's Superhei posted this apache feature on the blog, which is that Apache checks the suffix from the back and executes it by the last legal suffix. In fact, just look at Apache's Htdocs those default installed index. XX documents will understand.
3.superhei has been said very clearly, can make full use of the upload vulnerability, I follow the general permission to upload the file format test, listed below (disorderly classification don't blame)
Typical type: rar
Backup type: Bak,lock
Streaming Media Type: WMA,WMV,ASX,AS,MP4,RMVB
Microsoft Type: sql,chm,hlp,shtml,asp
Any type: test,fake,ph4nt0m
Special type: Torrent
Program Type: jsp,c,cpp,pl,cgi
4. The key to the entire loophole is what Apache's "legal suffix" is, not the "legal suffix" that can be exploited.
5. Test environment
a.php
Then add any suffix test, a.php.aaa,a.php.aab ....
by Cloie, in Ph4nt0m.net (c).
Appendix B:
The IIS6 server (windows2003) is installed, and the affected file name suffix has. asp. Asa. CDX. cer. pl. php. CGI.
Windows 2003 Enterprise Edition is Microsoft's current mainstream server operating system. Windows 2003 IIS6 There is a vulnerability to file resolution paths, and when the folder name is similar to hack.asp (that is, the folder name looks like the file name of an ASP file), any type of file under this folder (such as. Gif,.jpg,.txt, etc.) Can be executed as an ASP program in IIS. So the hacker can upload the extension of jpg or GIF and so on looks like a picture file Trojan file, by accessing this file can run the Trojan horse. If any of these web sites have the name of a folder that ends with. asp. PHP, CER. asa. PL, and so on, any type of file placed under these folders may be considered a script file and executed by the script parser.
Appendix C:
Vulnerability Description:
When the file name is [yyy].asp; [Zzz].jpg, Microsoft IIS automatically resolves in ASP format.
And when the file name is [yyy].php; [Zzz].jpg, Microsoft IIS will automatically parse in PHP format.
where [YYY] and [ZZZ] are variable strings.
Impact Platform:
Windows Server 2000/2003/2003 R2 (IIS 5.x/6.0)
Patching method:
1, waiting for Microsoft-related patch Package
2, close the image directory of the script execution permissions (provided that some of your pictures are not mixed with the program storage)
3, verify the site program in all uploaded pictures of the code section, to form such as [yyy].asp; [Zzz].jpg's pictures do intercept
Note:
Not affected for Windows Server 2008 (IIS7) and Windows Server 2008 R2 (IIS7.5).
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
