中国网络渗透测试联盟

标题: 最新FCKEditor ASP上传绕过漏洞 [打印本页]

---

作者: admin    时间: 2012-12-10 10:18
标题: 最新FCKEditor ASP上传绕过漏洞
exploiut-db：
1 J; T3 y" d8 r# C/ D' p- Z
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass

0 H8 p8 @5 N- b5 g6 ]4 j* L- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
- Credit goes to: Mostafa Azizi, Soroush Dalili
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
- Description:
6 E$ t  z  ~9 \  ~. L0 g" R6 {There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
dealing with the duplicate files. As a result, it is possible to bypass
) O5 v, y7 ?7 F: w  p4 \& u1 C3 Rthe protection and upload a file with any extension.
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
- Solution: Please check the provided reference or the vendor website.
: F+ {- V  H: a- c$ t1 F- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
"
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
1 W+ b% C2 g: F" `0 X4 w; eIn “config.asp”, wherever you have:
+ U2 Q0 {; p0 I6 ^      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
+ j4 R9 g! W, l$ c1 DChange it to:
      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”




% K; O# ~+ C# r& r! M9 k
8 i5 Q, B8 c" _, gphp测试无效
asp/aspx测试成功：
来到/FCKeditor/editor/filemanager/connectors/test.html
因为结合了之前二次上传的漏洞，所以先上传任意内容的文件：asd.asp.txt

( p- X( i5 }" @! [4 ~- nburpsuite上传包并修改，repeater
名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp

& [2 @  J0 p" @) }" |/ p如图，webshell为：http://localhost/userfiles/file/asd(1).asp
7 v6 ^' L/ ^( o& ~
: r& a: _. R6 ], ~8 A

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2