漏洞复现
1.首先查看fckeditor版本,在url中输入/fckeditor/_whatsnew.html
2.需要知道fckeditor的上传地址
常用的上传地址有:
(1)fckeditor/editor/filemanager/browser/default/connectors/test.html
(2)fckeditor/editor/filemanager/upload/test.html
(3)fckeditor/editor/filemanager/connectors/test.html
(4)fckeditor/editor/filemanager/connectors/uploadtest.html
每一个都试一下,发现是
fckeditor/editor/filemanager/connectors/test.html
上传一句话木马(asp类型),,但是这个版本的fckeditor是不允许上传asp后缀的文件,所以需要使用Burpsuite截包,修改后缀名为.asp;jpg
后面就菜刀连接