中国网络渗透测试联盟

标题: 最新FCKEditor ASP上传绕过漏洞 [打印本页]

---

作者: admin    时间: 2012-12-10 10:18
标题: 最新FCKEditor ASP上传绕过漏洞
exploiut-db：
( S* O3 G, r# h# b" V
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
: ]4 g) H+ J" ]! e' }& ~. B; Q
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
- Credit goes to: Mostafa Azizi, Soroush Dalili
1 _" u9 }7 A2 X+ E, x- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
5 s1 P2 P6 ^  a% V, ?- Description:
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
& n7 f; Y& x/ S. Q! tdealing with the duplicate files. As a result, it is possible to bypass
the protection and upload a file with any extension.
/ \: S! S, ]/ D- v& `. v- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
- Solution: Please check the provided reference or the vendor website.
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
"
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
1 R; B7 {6 b: `/ `" ?8 ?In “config.asp”, wherever you have:
      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
5 {# [- i7 Z; R: R/ b: OChange it to:
% c" j# L4 _8 ~4 I      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”
+ n; @3 ^  N2 k6 r( x
9 {! |9 b1 e" n3 B9 M  L
7 ~) H, C5 w; U( Q; q
8 h5 X0 m( |& B5 R1 ^
+ S; H2 {6 g' J$ S% `& {
php测试无效
asp/aspx测试成功：
来到/FCKeditor/editor/filemanager/connectors/test.html
' `$ `3 [/ O5 V因为结合了之前二次上传的漏洞，所以先上传任意内容的文件：asd.asp.txt

burpsuite上传包并修改，repeater
2 d9 O' o9 N5 e名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp

如图，webshell为：http://localhost/userfiles/file/asd(1).asp
: f7 X$ N% K: A* P! s7 x

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2