% n! c/ P2 b- e3 D6 ]( ]2 h- u GFCKEditor 2.6.8文件上传漏洞 8 c. v5 g5 L& Y* e6 Q 3 ]! o) d: z: lExploit-db上原文如下: ! w0 q8 Y) \0 G, J8 p. m6 U6 B0 W8 V, j$ I7 y5 T- \: v
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass- B4 U. R1 X( A( Q% x5 ~) e
- Credit goes to: Mostafa Azizi, Soroush Dalili6 U, X# k5 x; H2 H% B& Y! T, N
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/ , \0 y: E6 J1 O% O1 A* L- Description:, Z [* H: {2 o8 A, b9 f
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is ; @5 ]' G! a- e0 e5 [1 f+ Z, @% odealing with the duplicate files. As a result, it is possible to bypass7 g+ ~7 R# ~- e! G* l
the protection and upload a file with any extension.5 o# G+ u4 c$ S; V/ B
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/: r; k5 Q1 m9 M m; i
- Solution: Please check the provided reference or the vendor website.. H0 n0 b) Z9 D; A$ W
* k. e3 ~8 R7 Y9 g" x$ B" H# V
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720' X; P# u' d$ @2 | I% B: Y4 j% T- x/ Y
" K4 O& V5 V }2 e, U! P' GNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:" H7 q i- G% h8 T7 \$ G
{) \# ?3 i5 _. |2 c8 P$ V+ `& gIn “config.asp”, wherever you have:+ l0 F/ e% h5 s ^8 K
ConfigAllowedExtensions.Add “File”,”Extensions Here”7 D6 w C- ?5 ^* q
Change it to:- Z5 ]. E" |7 M
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”在视频(需翻墙)里,我们可以看的很清楚:/ K. |* Z {. R5 v2 E! J# H
1 |% t( T# I2 F$ V% T1.首先,aspx是禁止上传的2 ?" S. k& {1 g5 |: c- t. I
2.使用%00截断(url decode),第一次上传文件名会被转成_符号0 b$ v, L) i$ A4 H G( ?5 r
$ X; J+ a# M4 e' S( A4 ^, m- @4 p |. T
/ M( W6 l* m$ t1 v
接下来,我们进行第二次上传时,奇迹就发生了 6 ^. `+ ~: b% O+ @6 A3 f' R) j3 i) Y/ |$ V) k3 v0 y! b
y& z, O4 S* f6 f