zoukankan      html  css  js  c++  java

  • ECSHOP 2.7.1 漏洞及利用

    在百度找一下ECSHOP 2.7.1漏洞确实很少,这里呈上和大家一起研究一下。
    漏洞利用文件 http://target/includes/fckeditor/editor/filemanager/connectors/test.html

    我们看下 includes/fckeditor/editor/filemanager/connectors/php/config.php
    漏洞代码如下
    复制代码$Config['AllowedExtensions']['File']    = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;
    $Config['FileTypesPath']['File']        = $Config['UserFilesPath'] . 'File/' ;
    $Config['FileTypesAbsolutePath']['File']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'File/' ;
    $Config['QuickUploadPath']['File']      = $Config['UserFilesPath'] . 'File/' ;
    $Config['QuickUploadAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] . 'File/' ;
    //$Config['AllowedExtensions']['Image']   = array('bmp','gif','jpeg','jpg','png') ;
    $Config['AllowedExtensions']['Image']    = array('jpg','gif','jpeg','png') ;
    $Config['DeniedExtensions']['Image']    = array() ;
    $Config['FileTypesPath']['Image']       = $Config['UserFilesPath'] . 'Image/' ;
    $Config['FileTypesAbsolutePath']['Image']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'Image/' ;
    $Config['QuickUploadPath']['Image']     = $Config['UserFilesPath'] . 'Image/' ;
    $Config['QuickUploadAbsolutePath']['Image']= $Config['UserFilesAbsolutePath'] . 'Image/' ;
    //$Config['AllowedExtensions']['Flash']   = array('swf','flv') ;
    $Config['AllowedExtensions']['Flash']    = array('swf','fla') ;
    $Config['DeniedExtensions']['Flash']    = array() ;
    $Config['FileTypesPath']['Flash']       = $Config['UserFilesPath'] . 'Flash/' ;
    $Config['FileTypesAbsolutePath']['Flash']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'Flash/' ;
    $Config['QuickUploadPath']['Flash']     = $Config['UserFilesPath'] . 'Flash/' ;
    $Config['QuickUploadAbsolutePath']['Flash']= $Config['UserFilesAbsolutePath'] . 'Flash/' ;
    //$Config['AllowedExtensions']['Media']   = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
    $Config['AllowedExtensions']['Media']   = array() ;
    $Config['DeniedExtensions']['Media']    = array() ;
    $Config['FileTypesPath']['Media']       = $Config['UserFilesPath'] . 'Media/' ;
    $Config['FileTypesAbsolutePath']['Media']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'Media/' ;
    $Config['QuickUploadPath']['Media']     = $Config['UserFilesPath'] . 'Media/' ;
    $Config['QuickUploadAbsolutePath']['Media']= $Config['UserFilesAbsolutePath'] . 'Media/' ;

    复制代码$Config['AllowedExtensions']['Media']   = array() ;
    $Config['DeniedExtensions']['Media']    = array() ;

    对Media 没有任何限制. 直接 Type=Media 上传 你的 webshell
    访问路径为
    http://target/images/upload/Media/xxx.php
  • 相关阅读:
    <Ajax> 四. get请求(验证用户名是否存在)
    <Ajax> 三. 前端和后端通过表单数据交互
    <Ajax> 一. PHP基本使用和基本数据类型
    <Ajax> 二. PHP选择语句和循环语句
    <Bootstrap> 学习笔记八. 导航栏和颁
    <Bootstrap> 学习笔记七. 下拉菜单和标签页
    <Bootstrap> 学习笔记六. 栅格系统使用案例
    <Bootstrap> 学习笔记五. 按钮组的使用
    <Bootstrap> 学习笔记三. 浮动的使用
    <Bootstrap> 学习笔记四. 表单组和输入框组的使用
  • 原文地址:https://www.cnblogs.com/robinli/p/2709873.html
Copyright © 2011-2022 走看看