exploiut-db:
$ Q' g4 @( f8 L& B+ k
% P7 w6 j7 y) ]/ n9 Y( L" n6 ^FCKEditor ASP Version 2.6.8 File Upload Protection Bypass/ s+ g& _& e8 B. {2 I$ p
9 F: n+ i1 k7 R) d O/ [- G
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
" H, b c% E1 @& i Q# F) Y- Credit goes to: Mostafa Azizi, Soroush Dalili/ I: g. \6 a# H8 G7 O5 B
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/4 `+ X- M8 X2 g/ P7 V
- Description:
4 ]& O' \+ }# J: Q4 p, O! T: h5 dThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
' N8 H4 t9 f8 w+ p% \! W2 g0 Rdealing with the duplicate files. As a result, it is possible to bypass
. `8 r1 Q+ ]- f2 {8 k* X. V: M+ m* zthe protection and upload a file with any extension.
7 P5 L* F4 o4 L+ S7 e- J9 W- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/* i9 U; u# d8 v+ [9 W
- Solution: Please check the provided reference or the vendor website.
+ f/ s+ |; D/ x1 e6 ~0 x- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
3 w" h8 u) j' W0 U0 E, b+ G"/ i& w, P- |- Z: \
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
/ `% c$ d/ w8 E( ~+ h) zIn “config.asp”, wherever you have:
* V Y' ]& X F; |4 m ConfigAllowedExtensions.Add “File”,”Extensions Here”
. G" ~% V+ P, t* U6 AChange it to:
! S5 s7 \3 `" z8 T+ Y1 ]! `, ~( o ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”, N4 D) K a8 I- V1 n
2 W) m H T2 n' N+ M" ~
6 |1 q$ W+ {* R; p0 q) x3 L8 y: V9 X0 {
: b/ I. a# I) T. o" b4 S ?
( N- Q [, O1 b% K$ S$ X8 `php测试无效( }% N/ o* H/ o# B7 P' a9 d8 c
asp/aspx测试成功:, S1 s9 \' E% m9 c% O& ~- t8 v% B
来到/FCKeditor/editor/filemanager/connectors/test.html
# A6 \7 {; i- b+ }因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt2 {: J) c3 }* z* A- Y! H" x* k
1 v2 h0 R! l/ Dburpsuite上传包并修改,repeater, R6 e/ q4 i* M) S' p
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
9 J7 d6 { h6 B4 ^8 d" c% a% b. ]# U5 F1 U! W' H, k" E( ~
如图,webshell为:http://localhost/userfiles/file/asd(1).asp& h# h2 K1 D2 r4 O4 d
9 O' J! ? {" U$ p
|