中国网络渗透测试联盟

标题: 最新FCKEditor ASP上传绕过漏洞 [打印本页]

---

作者: admin    时间: 2012-12-10 10:18
标题: 最新FCKEditor ASP上传绕过漏洞
exploiut-db：
. L0 H* g& I( \) |+ E) v2 C5 c- a
2 o( Q& E5 u) n, X& M! SFCKEditor ASP Version 2.6.8 File Upload Protection Bypass

- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
- Credit goes to: Mostafa Azizi, Soroush Dalili
  s9 N& _7 S1 D/ k9 p# Q9 F- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
( v: F& c$ v$ B7 {# n: |- Description:
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
dealing with the duplicate files. As a result, it is possible to bypass
5 U) j) a- m7 x1 u  fthe protection and upload a file with any extension.
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
- Solution: Please check the provided reference or the vendor website.
! r+ ]9 a6 q4 H# u9 A  t! d- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
( q: v  `) `0 S" ~' W"
9 P- c9 }9 D) j0 UNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
In “config.asp”, wherever you have:
4 _/ U5 R% K8 t& J4 ^& S0 i      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
Change it to:
      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”
  ^% j3 Y  G+ l0 K( ?# K9 z
7 a8 N5 j0 l0 e' h* C
5 ?+ g1 L+ _- S9 Q  G! A
+ e& s9 U6 w) ]+ n. \
5 R0 w2 W% }- o! S
php测试无效
/ ]) `" j" {  `: Zasp/aspx测试成功：
来到/FCKeditor/editor/filemanager/connectors/test.html
! \9 b8 N% `# C1 B0 `' v) X) J2 d因为结合了之前二次上传的漏洞，所以先上传任意内容的文件：asd.asp.txt

3 o. ~$ j2 M! d' nburpsuite上传包并修改，repeater
8 D6 d- S" x! e/ H# V. S名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp

% `. Q! e/ H& z如图，webshell为：http://localhost/userfiles/file/asd(1).asp

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2