exploiut-db:
$ a+ i) \; q2 z9 S: h, @& Y' s+ z; w( t
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
8 l" o* o7 [% |
L) G: A: A! _1 L- f$ D- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
$ a4 X# N6 O$ e" B- Credit goes to: Mostafa Azizi, Soroush Dalili5 [& z, q' r1 t2 |- M7 y
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/5 I: P) A+ }8 T# ?
- Description:
% ?1 }5 J. V7 O: S9 \5 xThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
& a0 k8 y0 C8 M% ^3 zdealing with the duplicate files. As a result, it is possible to bypass
. y: I. Q$ S7 v- t6 v! lthe protection and upload a file with any extension. O" E* V; K: @* @ i: T: t
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/7 ]; e8 o# } o; H( k# d4 Q# _. I
- Solution: Please check the provided reference or the vendor website.
3 W6 z% y F! q7 B4 g- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
. f5 m% O# }+ b. Y9 ?6 `"
1 X0 v1 t# E* u" o- s8 B, yNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
; u6 y1 _7 U9 c) L$ d! WIn “config.asp”, wherever you have:
! e# I! f" Q- m$ c+ [) J" g ConfigAllowedExtensions.Add “File”,”Extensions Here”
4 |) Y+ c( h! u* @Change it to:
+ ^9 @. J0 k' {7 M7 ^" M ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”1 P! I# B! Y( n2 V. I9 g' S
" `2 w5 l+ X. X% {- f
3 P7 D0 ]% T3 h5 ?; D( ]2 m( K" q9 I1 N* ~9 R
0 u6 H. }8 c( P- a; c0 e3 }
5 E) U6 W P! ]php测试无效
$ b' }1 j) F% g E* Masp/aspx测试成功:
$ b6 Y! }3 R! y7 T6 V5 S来到/FCKeditor/editor/filemanager/connectors/test.html
/ Y% T& T8 h1 d/ m2 q N因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt$ b3 W6 T: {/ \+ Y4 L3 L7 M! s
, y+ ? w0 ^ D+ w* S
burpsuite上传包并修改,repeater
; W) H7 Y0 ?% a4 P名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp, q! f) ]4 h! k+ M2 }( s
1 X2 z4 G8 u5 m5 b
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
$ h- \- R: I. L2 C' b) j
5 H7 l/ ` T! Q |
发表于 2012-12-10 10:18:50
收藏
支持
反对