Webshell upload Technology--fckeditor Vulnerability upload Webshell

"Experimental Purpose"

FCKeditor is an online user editor. This experiment demonstrates an editor upload vulnerability Fckeditor2.4.2 the following version.

Currently the latest version is CKEditor 4.5.3.

"Experimental principle"

FCKeditor in 2.4.2 There is a direct upload of any file upload page, you can upload the Webshell directly.

"Experimental Steps"

One, editor operation

1.1 Open the Web site input/fckeditor, determine whether there is a FCKeditor editor, there is a 403 forbidden access, indicating that this directory exists

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/77/B5/wKioL1ZswM-ggGOuAACVrwj9_uM056.png "style=" float: none; "title=" 11.png "alt=" Wkiol1zswm-gggouaacvrwj9_um056.png "/>

1.2 Judging FCKeditor Editor version number, input: http://ip:83/FCKeditor/_whatsnew.html

This FCKeditor Editor version is 2.0

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/77/B6/wKiom1ZswM3i7Q6cAAEsoHxqiRI781.png "style=" float: none; "title=" 22.png "alt=" Wkiom1zswm3i7q6caaesohxqiri781.png "/>

1.3 There are two pages with upload vulnerabilities in FCKeditor this version:

fckeditor/editor/filemanager/browser/default/browser.html?type=image&connector=connectors/asp/ Connector.asp

Fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp? command=getfoldersandfiles&type=zhang&currentfolder=/

The first page is to open an upload page under the image directory under the Userfiles directory in the root directory of the Web site, the uploaded files are stored in this directory, and the second is to create a directory under the Userfiles directory under the root directory of the Web site.

1.4 Well, after understanding the key content, presumably you already understand the experimental steps of this experiment, let's take a look at the following steps, open Http://ip:83/FCKeditor/editor/filemanager/browser/default/ Browser.html?type=image&connector=connectors/asp/connector.asp

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/77/B6/wKiom1ZswM7jzMoMAACDQ3tDSyQ413.png "style=" float: none; "title=" 33.png "alt=" Wkiom1zswm7jzmomaacdq3tdsyq413.png "/>

Two, 00 truncation

2.1 We upload a normal picture, open a background can see, we upload a picture

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/77/B6/wKiom1ZswX7SQTopAABRgCknQ5g335.png "style=" float: none; "title=" 44.png "alt=" Wkiom1zswx7sqtopaabrgcknq5g335.png "/>

2.2 We directly upload an ' ASP ' a Word file, found not allowed to upload, then we use 00 truncation test

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/77/B5/wKioL1ZswYOCGoLbAAA1P4fySS8092.png "style=" float: none; "title=" 55.png "alt=" Wkiol1zswyocgolbaaa1p4fyss8092.png "/>

2.3 We crawl the data packets that upload the file

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/77/B6/wKiom1ZswYCCGsY2AAB78K_ZY-U421.png "style=" float: none; "title=" 66.png "alt=" Wkiom1zswyccgsy2aab78k_zy-u421.png "/>

2.4 Switch to hex mode, change the space of Hex 20 to 00

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M02/77/B6/wKiom1ZswYHyVzr_AAAnWuqVZWU739.png "style=" float: none; "title=" 77.png "alt=" Wkiom1zswyhyvzr_aaanwuqvzwu739.png "/>

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/77/B6/wKiom1ZswYGgubdDAAAWvNXUIf0721.png "style=" float: none; "title=" 88.png "alt=" Wkiom1zswyggubddaaawvnxuif0721.png "/>

2.5 Switch to Raw mode, space becomes like, send request

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/77/B5/wKioL1ZswYbRu36rAAB20fU8zYA303.png "style=" float: none; "title=" 99.png "alt=" Wkiol1zswybru36raab20fu8zya303.png "/>

2.6 View server Side again, 2.asp has been saved, upload successful

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/77/B5/wKioL1ZswYeQ5S9JAABO-PmQ3Jk116.png "style=" float: none; "title=" 100.png "alt=" Wkiol1zswyeq5s9jaabo-pmq3jk116.png "/>

At this point, we can use the kitchen knife to connect the Trojan Horse, follow-up operation, upload "Aunt" ah what.

This article from "Hong Seven public" blog, please be sure to keep this source http://klmyoil.blog.51cto.com/10978910/1722418

Webshell upload Technology--fckeditor Vulnerability upload Webshell