zoukankan      html  css  js  c++  java

  • ECSHOP 2.7.1 漏洞及利用

    在百度找一下ECSHOP 2.7.1漏洞确实很少,这里呈上和大家一起研究一下。
    漏洞利用文件 http://target/includes/fckeditor/editor/filemanager/connectors/test.html

    我们看下 includes/fckeditor/editor/filemanager/connectors/php/config.php
    漏洞代码如下
    复制代码$Config['AllowedExtensions']['File']    = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;
    $Config['FileTypesPath']['File']        = $Config['UserFilesPath'] . 'File/' ;
    $Config['FileTypesAbsolutePath']['File']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'File/' ;
    $Config['QuickUploadPath']['File']      = $Config['UserFilesPath'] . 'File/' ;
    $Config['QuickUploadAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] . 'File/' ;
    //$Config['AllowedExtensions']['Image']   = array('bmp','gif','jpeg','jpg','png') ;
    $Config['AllowedExtensions']['Image']    = array('jpg','gif','jpeg','png') ;
    $Config['DeniedExtensions']['Image']    = array() ;
    $Config['FileTypesPath']['Image']       = $Config['UserFilesPath'] . 'Image/' ;
    $Config['FileTypesAbsolutePath']['Image']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'Image/' ;
    $Config['QuickUploadPath']['Image']     = $Config['UserFilesPath'] . 'Image/' ;
    $Config['QuickUploadAbsolutePath']['Image']= $Config['UserFilesAbsolutePath'] . 'Image/' ;
    //$Config['AllowedExtensions']['Flash']   = array('swf','flv') ;
    $Config['AllowedExtensions']['Flash']    = array('swf','fla') ;
    $Config['DeniedExtensions']['Flash']    = array() ;
    $Config['FileTypesPath']['Flash']       = $Config['UserFilesPath'] . 'Flash/' ;
    $Config['FileTypesAbsolutePath']['Flash']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'Flash/' ;
    $Config['QuickUploadPath']['Flash']     = $Config['UserFilesPath'] . 'Flash/' ;
    $Config['QuickUploadAbsolutePath']['Flash']= $Config['UserFilesAbsolutePath'] . 'Flash/' ;
    //$Config['AllowedExtensions']['Media']   = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
    $Config['AllowedExtensions']['Media']   = array() ;
    $Config['DeniedExtensions']['Media']    = array() ;
    $Config['FileTypesPath']['Media']       = $Config['UserFilesPath'] . 'Media/' ;
    $Config['FileTypesAbsolutePath']['Media']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'Media/' ;
    $Config['QuickUploadPath']['Media']     = $Config['UserFilesPath'] . 'Media/' ;
    $Config['QuickUploadAbsolutePath']['Media']= $Config['UserFilesAbsolutePath'] . 'Media/' ;

    复制代码$Config['AllowedExtensions']['Media']   = array() ;
    $Config['DeniedExtensions']['Media']    = array() ;

    对Media 没有任何限制. 直接 Type=Media 上传 你的 webshell
    访问路径为
    http://target/images/upload/Media/xxx.php
  • 相关阅读:
    HDU3145 Max Sum of Max-K-sub-sequence (单调队列模板)
    AcWing1088 旅行问题(单调队列)
    POJ1821 Fence(单调队列)
    POJ1742 Coins(多重背包+二进制优化)
    AcWing217 绿豆蛙的归宿(期望)
    BZOJ.2134.[国家集训队]单选错位(概率 递推)
    洛谷.3805.[模板]manacher算法
    Codeforces.280C.Game on Tree(期望)
    BZOJ.2521.[SHOI2010]最小生成树(最小割ISAP/Dinic)
    洛谷.4172.[WC2006]水管局长(LCT Kruskal)
  • 原文地址:https://www.cnblogs.com/robinli/p/2709873.html
Copyright © 2011-2022 走看看