ECSHOP 2.7.1 漏洞及利用

zoukankan html css js c++ java

ECSHOP 2.7.1 漏洞及利用

在百度找一下ECSHOP 2.7.1漏洞确实很少，这里呈上和大家一起研究一下。
漏洞利用文件 http://target/includes/fckeditor/editor/filemanager/connectors/test.html

我们看下 includes/fckeditor/editor/filemanager/connectors/php/config.php
漏洞代码如下
复制代码$Config['AllowedExtensions']['File']    = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;
$Config['FileTypesPath']['File']        = $Config['UserFilesPath'] . 'File/' ;
$Config['FileTypesAbsolutePath']['File']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'File/' ;
$Config['QuickUploadPath']['File']      = $Config['UserFilesPath'] . 'File/' ;
$Config['QuickUploadAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] . 'File/' ;
//$Config['AllowedExtensions']['Image']   = array('bmp','gif','jpeg','jpg','png') ;
$Config['AllowedExtensions']['Image']    = array('jpg','gif','jpeg','png') ;
$Config['DeniedExtensions']['Image']    = array() ;
$Config['FileTypesPath']['Image']       = $Config['UserFilesPath'] . 'Image/' ;
$Config['FileTypesAbsolutePath']['Image']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'Image/' ;
$Config['QuickUploadPath']['Image']     = $Config['UserFilesPath'] . 'Image/' ;
$Config['QuickUploadAbsolutePath']['Image']= $Config['UserFilesAbsolutePath'] . 'Image/' ;
//$Config['AllowedExtensions']['Flash']   = array('swf','flv') ;
$Config['AllowedExtensions']['Flash']    = array('swf','fla') ;
$Config['DeniedExtensions']['Flash']    = array() ;
$Config['FileTypesPath']['Flash']       = $Config['UserFilesPath'] . 'Flash/' ;
$Config['FileTypesAbsolutePath']['Flash']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'Flash/' ;
$Config['QuickUploadPath']['Flash']     = $Config['UserFilesPath'] . 'Flash/' ;
$Config['QuickUploadAbsolutePath']['Flash']= $Config['UserFilesAbsolutePath'] . 'Flash/' ;
//$Config['AllowedExtensions']['Media']   = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
$Config['AllowedExtensions']['Media']   = array() ;
$Config['DeniedExtensions']['Media']    = array() ;
$Config['FileTypesPath']['Media']       = $Config['UserFilesPath'] . 'Media/' ;
$Config['FileTypesAbsolutePath']['Media']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'Media/' ;
$Config['QuickUploadPath']['Media']     = $Config['UserFilesPath'] . 'Media/' ;
$Config['QuickUploadAbsolutePath']['Media']= $Config['UserFilesAbsolutePath'] . 'Media/' ;

复制代码$Config['AllowedExtensions']['Media']   = array() ;
$Config['DeniedExtensions']['Media']    = array() ;

对Media 没有任何限制. 直接 Type=Media 上传你的 webshell
访问路径为
http://target/images/upload/Media/xxx.php

快递系统     快递软件

查看全文

相关阅读:
Ubuntu adb devices :???????????? no permissions (verify udev rules) 解决方法
 ubuntu 关闭显示器的命令
 ubuntu android studio kvm
ubuntu 14.04版本更改文件夹背景色为草绿色
 ubuntu 创建桌面快捷方式
 Ubuntu 如何更改用户密码
 ubuntu 14.04 返回到经典桌面方法
 ubuntu 信使(iptux) 创建桌面快捷方式
 Eclipse failed to get the required ADT version number from the sdk
Eclipse '<>' operator is not allowed for source level below 1.7

原文地址：https://www.cnblogs.com/robinli/p/2709873.html