Shulou(Shulou.com)05/31 Report--

This article is to share with you about how to exploit FCKeditor2.6.4.1 editor vulnerabilities, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article. Let's take a look at it.

FCKeditor editor file upload bypass

Here's how to bypass: 00 truncate the upload.

Upload with IIS6.0 parsing vulnerabilities

First, judge the FCKeditor version

The URL of the common judgment version: / FCKeditor/_whatsnew.html

/ FCKeditor/editor/dialog/fck_about.html

Second, judge the upload interface of FCKeditor

The URL of the common upload interface: / FCKeditor/editor/filemanager/connectors/test.html

/ FCKeditor/editor/filemanager/connectors/uploadtest.html

The current test version is 2.6.4.1

Method 1: 00 to truncate the upload

Try one.asp.jpg to upload (error is found and configuration file needs to be modified)

Make changes in the configuration file prompted (FCKeditor\ editor\ filemanager\ connectors\ asp\ config.asp)

After modification, upload again and found that the one.asp.jpg was changed to one_asp.jpg (uploading this version of the FCKeditor file will "." Change the "_" underline. We need to use 00 truncation to bypass)

Submit the test for the first time (note: the file name is changed to one.asp.aspjpg, and then truncated at 00)

It can be seen from the picture below that "." It becomes "_", and other symbols are replaced with "_".

The second time upload in the same way (by observing that the suffix has become .asp)

Because the file with the same name was detected in the second upload, and then (1) was added, the rest was truncated by 00, and a sentence Trojan was successfully uploaded and parsed.

Finally, the connection test is successful!

Method 2: cooperate with IIS6.0 file parsing vulnerabilities

First create a folder named 1.asp, and then upload the picture horse.

Click Create Folder to create a folder called 1.asp

After creating the folder, click Get Folders and Files to find that the folder you just created has been renamed, not the folder whose name is 1.asp, but 1_asp, so that you cannot exploit the iis6.0 parsing vulnerability.

After testing, the current folder above is changed to / 1.asp (this folder does not exist yet), and it can be found that this folder does not exist.

But it is under this non-existent 1.asp folder that you create another folder at random, and you will find that this 1.asp price folder exists.

Look at the contents of the 1.asp folder again and find that there is more than the test folder you just created, and the folder named 1.asp is also in effect.

Next, you can upload the picture horse to obtain webshell under the asking price folder of 1.asp.

Check the image below and find that it has been uploaded successfully.

Connect (connected successfully)

The above is how to exploit FCKeditor2.6.4.1 editor vulnerabilities. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.