(三)通过CuteEditor上传而获得突破
由于微软的IIS6存在着一个文件解析路径的漏洞,当文件夹名为类似“xxx.asp”的时候(即文件夹名看起来像一个ASP文件的文件名),此时此文件夹下的文本类型的文件都可以在IIS中被当作ASP程序来执行。这样可上传扩展名为jpg或gif之类的看起来像是图片文件的木马文件,通过访问这个文件即可运行木马。
通过分析和观察,发现本网站系统是采用的CuteEditor编辑器。该编辑器本身的安全还做的可以,分为管理员/user/guest三种权限,其配置文件位于“CuteEditor\Configuration\Security”目录,通过分析Admin.config文件,其涉及安全核心关键代码如下:
<configuration>
<security name="RestrictUploadedImageDimension">false</security>
<security name="OverWriteExistingUploadedFile">false</security>
<security name="AutoResizeUploadedImages">true</security>
<security name="MaxImageWidth">1024</security>
<security name="MaxImageHeight">768</security>
<security name="MaxImageSize">1000</security>
<security name="MaxMediaSize">100</security>
<security name="MaxFlashSize">100</security>
<security name="MaxDocumentSize">10000</security>
<security name="MaxTemplateSize">1000</security>
<security name="ImageGalleryPath">~/uploads</security>
<security name="MediaGalleryPath">~/uploads</security>
<security name="FlashGalleryPath">~/uploads</security>
<security name="TemplateGalleryPath">~/templates</security>
<security name="FilesGalleryPath">~/uploads</security>
<security name="MaxImageFolderSize">102400</security>
<security name="MaxMediaFolderSize">102400</security>
<security name="MaxFlashFolderSize">102400</security>
<security name="MaxDocumentFolderSize">102400</security>
<security name="MaxTemplateFolderSize">102400</security>
<security name="ThumbnailWidth">80</security>
<security name="ThumbnailHeight">80</security>
<security name="ThumbnailColumns">5</security>
<security name="ThumbnailRows">3</security>
<security name="AllowUpload">true</security>
<security name="AllowModify">true</security>
<security name="AllowRename">true</security>
<security name="AllowDelete">true</security>
<security name="AllowCopy">true</security>
<security name="AllowMove">true</security>
<security name="AllowCreateFolder">true</security>
<security name="AllowDeleteFolder">true</security>
</configuration>
<security name="RestrictUploadedImageDimension">false</security>
<security name="OverWriteExistingUploadedFile">false</security>
<security name="AutoResizeUploadedImages">true</security>
<security name="MaxImageWidth">1024</security>
<security name="MaxImageHeight">768</security>
<security name="MaxImageSize">1000</security>
<security name="MaxMediaSize">100</security>
<security name="MaxFlashSize">100</security>
<security name="MaxDocumentSize">10000</security>
<security name="MaxTemplateSize">1000</security>
<security name="ImageGalleryPath">~/uploads</security>
<security name="MediaGalleryPath">~/uploads</security>
<security name="FlashGalleryPath">~/uploads</security>
<security name="TemplateGalleryPath">~/templates</security>
<security name="FilesGalleryPath">~/uploads</security>
<security name="MaxImageFolderSize">102400</security>
<security name="MaxMediaFolderSize">102400</security>
<security name="MaxFlashFolderSize">102400</security>
<security name="MaxDocumentFolderSize">102400</security>
<security name="MaxTemplateFolderSize">102400</security>
<security name="ThumbnailWidth">80</security>
<security name="ThumbnailHeight">80</security>
<security name="ThumbnailColumns">5</security>
<security name="ThumbnailRows">3</security>
<security name="AllowUpload">true</security>
<security name="AllowModify">true</security>
<security name="AllowRename">true</security>
<security name="AllowDelete">true</security>
<security name="AllowCopy">true</security>
<security name="AllowMove">true</security>
<security name="AllowCreateFolder">true</security>
<security name="AllowDeleteFolder">true</security>
</configuration>
在上面的代码中可以看到如果具有管理员权限,那么是可以在网站建立目录,也就是说在某种情况下,完全可以利用IIS文件目录解析漏洞来获的Webshell。
1.打开媒体上传窗口
直接在使用该编辑器的网页中单击插入媒体的按钮,出现如图12所示的界面。
图12 打开插入媒体窗口
2.新建一个simeon.asp的文件夹
在“Insert Media”窗口中可以发现有一个新建文件夹的图片,如果该图标是灰色的那么就无能为力了,如图13所示,我们新建一个叫“simeon.asp”的文件夹,建立成功后如图14所示。
图13 新建simeon.asp文件夹
