中国网络渗透测试联盟

标题: 最新FCKEditor ASP上传绕过漏洞 [打印本页]

---

作者: admin    时间: 2012-12-10 10:18
标题: 最新FCKEditor ASP上传绕过漏洞
exploiut-db：
1 F( A5 `5 f. G- a. z2 n
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass

- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
& |5 k! _+ X  v& g; Q# g) C( Q- Credit goes to: Mostafa Azizi, Soroush Dalili
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
- Description:
2 I2 p& o# y" M) N/ Y5 K. WThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
dealing with the duplicate files. As a result, it is possible to bypass
5 [* }) s: h% I9 {( L* J' Q; S3 j& Ithe protection and upload a file with any extension.
! ]+ a# ^2 U3 i  G. ?- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
9 c& A' G7 }' ~3 x2 [- Solution: Please check the provided reference or the vendor website.
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
"
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
, _0 b8 k: T1 zIn “config.asp”, wherever you have:
! `' D% t) c, J9 w4 R: M+ w' W      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
3 o' }$ M- g$ X: S& N* K+ B( cChange it to:
      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”

& u5 H' k$ @( {0 x) {$ v

  j6 }3 L& s" n* }1 c8 _+ V' t9 i; g

% Q" D7 y& V3 _% N! Q' O* }& P$ Fphp测试无效
asp/aspx测试成功：
来到/FCKeditor/editor/filemanager/connectors/test.html
因为结合了之前二次上传的漏洞，所以先上传任意内容的文件：asd.asp.txt
) a( s9 i& n! r: o# r) g  I7 r
; @. H8 U- }  C, rburpsuite上传包并修改，repeater
名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp
0 r$ L9 S5 a7 W
) y6 a; E7 I& ?7 h) J4 D6 p. m如图，webshell为：http://localhost/userfiles/file/asd(1).asp
( p3 Y/ T: l' S  s

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2