exploiut-db:* a3 j% ~/ G" ^8 x$ y2 ^' K9 Z
: w# p: K% r$ dFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
6 d6 H! l+ \8 _' n0 [9 y
! i0 x. a6 V) w- @6 l& q1 @- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass2 S( @- k6 r# }; R) q
- Credit goes to: Mostafa Azizi, Soroush Dalili
5 w: y/ ^6 v# _' l- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/8 h( {8 b2 {( }! H5 Q, z, Z7 J2 q! D
- Description:0 @* z9 W! s: M& o
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is; S( j2 @) j- t2 {8 G
dealing with the duplicate files. As a result, it is possible to bypass
7 g, h: J6 E2 i: m! R4 v- Ethe protection and upload a file with any extension.* e) i1 o0 w5 y, l% d5 K
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
$ I9 m; w1 V; w) d% R8 C- Solution: Please check the provided reference or the vendor website.- i8 p; b- |0 T
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720& ~. _/ K4 M' u' _7 i$ G
"; `+ @( T0 Q/ C+ O; v
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
3 [9 i* z _3 C9 X4 j2 eIn “config.asp”, wherever you have:
& r) M2 |+ C4 t/ T' e ConfigAllowedExtensions.Add “File”,”Extensions Here”0 \. x3 ?1 L6 j5 b' K! G
Change it to:
" T( V( Z+ h- }5 y) [1 r+ j ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”) v/ z$ R: }6 A
9 I2 `8 ?1 H3 W) H" Y
8 G' X# y: w3 R) J1 v- H1 x' ?- k. F+ P A: d* c$ x
- D7 B2 |4 F7 Y1 ^; J
* ]8 b- t. V* X" Z2 ephp测试无效
5 z& H) U6 z# r% Hasp/aspx测试成功:
# z. Z4 T" R# z4 O' D" w- L/ I0 m( C来到/FCKeditor/editor/filemanager/connectors/test.html% }7 w! e* Y% Z# J# S" E/ r/ h$ r$ C
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt9 x) Y9 Z# r- w% W
- F4 o6 C0 [% _8 D- cburpsuite上传包并修改,repeater7 z& a* p0 k; |
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp4 i/ C# K& _, }( M8 {& u
- x# {" H3 a1 x4 L5 `/ i如图,webshell为:http://localhost/userfiles/file/asd(1).asp- ~8 y* ~3 Q& o! O$ T- c2 k! A
- e& F) {1 U( l0 S3 x7 g |
发表于 2012-12-10 10:18:50
收藏
支持
反对