Clever use of voyagers to find out the fckeditor upload secure path-vulnerability warning-the black bar safety net

2009-12-06T00:00:00
ID MYHACK58:62200925513
Type myhack58
Reporter 佚名
Modified 2009-12-06T00:00:00

Description

Recently a friend asked me to use the Fckeditor upload vulnerability and combined 2 0 0 3 the server parses the vulnerability to get the site webshell time is always not found after upload the path to the file, what should I do? Believe this problem should be a lot of friends encountered. First we look at the Fckeditor vulnerability: http://www.xxx.com/fckeditor/editor/filemanager/browser/default/browser.html?typeall&connector=connectors/asp/connector. asp

We can use the above address to open a installed the Fckeditor website, open up after you can see, a lot of friends in the absence of injection vulnerabilities of the premise, I am afraid, are not listed in the fck file upload path?

Indeed, usually many of my friends are on the injection site but failed differential backup of the webshell of the time to find a FCK, and then use Fck's vulnerability combined 2 0 0 3 analysis of vulnerabilities, upload get the webshell, or the use of Fck some time ago to storm out of the Php file arbitrary upload vulnerability get webshell on.

But most people think that those vulnerabilities are but is tasteless, because to upload a webshell if you cannot obtain a path, also is in vain.

Here are a few ways to get the path of the way:

1: Access site content view all pictures of the property. Look at the path and file name. Whether and Fck Upload Directory file name the same. If it is, you can determine the file path.

2: The another way is to today I want to mainly explain-use surf browser find the Fckeditor upload security and the path to the file!

First of all: open to travel in the“tools”-“web Sniffer”

Then sniffing the file type Select All files, and display Sniffer notifications.

Then the same open

http://www.xxx.com/fckeditor/editor/filemanager/browser/default/browser.html?typeall&connector=connectors/asp/connector. asp

View the sniffing results you will find a record like this:

http://www.yedream.co.kr/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

Browser directly open, was found to give the following results:

Familiar with Web applications people to see that this is Xml! Yes! Fck the use of xml to list the files, the use of xml can be dominant, just as our invasion provided a convenient!

Above, it is clear to tell us the current uploaded file the site relative path

Thus we establish a 1 2 3. asp folder, inside it Upload a renamed xiaoma. jpg security, and then visit the website

http://tech.anquan365.com/UploadFiles_6054/200804/20080422112739448.jpg

The next step is to write a safe, smooth get the Webshell. Fckeditor this editor really is or harmful. So here also remind some of the websites of the webmasters, use the program's time must be careful, maybe the program comes with a"back door"anyway.