• ECSHOP 2.7.1 漏洞及利用

    在百度找一下ECSHOP 2.7.1漏洞确实很少,这里呈上和大家一起研究一下。
    漏洞利用文件 http://target/includes/fckeditor/editor/filemanager/connectors/test.html

    我们看下 includes/fckeditor/editor/filemanager/connectors/php/config.php
    漏洞代码如下
    复制代码$Config['AllowedExtensions']['File']    = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;
    $Config['FileTypesPath']['File']        = $Config['UserFilesPath'] . 'File/' ;
    $Config['FileTypesAbsolutePath']['File']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'File/' ;
    $Config['QuickUploadPath']['File']      = $Config['UserFilesPath'] . 'File/' ;
    $Config['QuickUploadAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] . 'File/' ;
    //$Config['AllowedExtensions']['Image']   = array('bmp','gif','jpeg','jpg','png') ;
    $Config['AllowedExtensions']['Image']    = array('jpg','gif','jpeg','png') ;
    $Config['DeniedExtensions']['Image']    = array() ;
    $Config['FileTypesPath']['Image']       = $Config['UserFilesPath'] . 'Image/' ;
    $Config['FileTypesAbsolutePath']['Image']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'Image/' ;
    $Config['QuickUploadPath']['Image']     = $Config['UserFilesPath'] . 'Image/' ;
    $Config['QuickUploadAbsolutePath']['Image']= $Config['UserFilesAbsolutePath'] . 'Image/' ;
    //$Config['AllowedExtensions']['Flash']   = array('swf','flv') ;
    $Config['AllowedExtensions']['Flash']    = array('swf','fla') ;
    $Config['DeniedExtensions']['Flash']    = array() ;
    $Config['FileTypesPath']['Flash']       = $Config['UserFilesPath'] . 'Flash/' ;
    $Config['FileTypesAbsolutePath']['Flash']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'Flash/' ;
    $Config['QuickUploadPath']['Flash']     = $Config['UserFilesPath'] . 'Flash/' ;
    $Config['QuickUploadAbsolutePath']['Flash']= $Config['UserFilesAbsolutePath'] . 'Flash/' ;
    //$Config['AllowedExtensions']['Media']   = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
    $Config['AllowedExtensions']['Media']   = array() ;
    $Config['DeniedExtensions']['Media']    = array() ;
    $Config['FileTypesPath']['Media']       = $Config['UserFilesPath'] . 'Media/' ;
    $Config['FileTypesAbsolutePath']['Media']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'Media/' ;
    $Config['QuickUploadPath']['Media']     = $Config['UserFilesPath'] . 'Media/' ;
    $Config['QuickUploadAbsolutePath']['Media']= $Config['UserFilesAbsolutePath'] . 'Media/' ;

    复制代码$Config['AllowedExtensions']['Media']   = array() ;
    $Config['DeniedExtensions']['Media']    = array() ;

    对Media 没有任何限制. 直接 Type=Media 上传 你的 webshell
    访问路径为
    http://target/images/upload/Media/xxx.php
  • 相关阅读:
    【LeetCode】226. Invert Binary Tree
    【LeetCode】235. Lowest Common Ancestor of a Binary Search Tree
    【LeetCode】191. Number of 1 Bits
    【LeetCode】122. Best Time to Buy and Sell Stock II
    【LeetCode】100. Same Tree
    【LeetCode】237. Delete Node in a Linked List
    【LeetCode】136. Single Number
    【LeetCode】104. Maximum Depth of Binary Tree
    svn tree conflicts 解决方法
    sed详解
  • 原文地址:https://www.cnblogs.com/robinli/p/2709873.html
Copyright © 2020-2023  润新知