exploiut-db:
1 d; g8 e# G- K0 ~1 Z7 r- L$ j% ^! Z1 y; e: |
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass9 ~2 H. O: ?: z4 h- j% Y
5 U* E' g: z$ p' o- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass# j3 k) L( V1 H
- Credit goes to: Mostafa Azizi, Soroush Dalili4 L5 ], L9 F9 S4 ]! b! F" w
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/9 a( F1 f1 ^, b1 N1 M3 R; k7 C+ T
- Description:
. \, N- |# J: V6 I/ X* RThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
/ R) Q7 [! ?& V- Edealing with the duplicate files. As a result, it is possible to bypass
. x3 j# T# i' T; |# |: q" a H: d, `the protection and upload a file with any extension.
$ a; x6 k% t" c; I+ N- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/: d% V8 k6 r: v8 j# U T
- Solution: Please check the provided reference or the vendor website.
/ U( C* |: ]! [# ?) }) X* S3 K- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd7202 \. R& \* s6 @$ i
"
% U0 h! T4 @* A$ q; |Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:/ v! `. n) j" ~6 a% f0 Z/ ` H
In “config.asp”, wherever you have:. w: p i2 `" d5 o& q5 K0 h
ConfigAllowedExtensions.Add “File”,”Extensions Here”
; e% H# i. f' y& Q/ tChange it to:2 q1 x3 U- k3 i3 D
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
6 m+ }' B! F( q* g- E" K, G8 l& I" y: e: v' V) ]) k
7 J7 r+ ^7 @5 ]' g1 H& ^3 r* `6 d0 B+ W
( T! Y+ u; O3 ?6 S
; m' T5 E( i. t0 j& Q
8 a. A1 T0 S1 jphp测试无效
0 c3 i6 d* z n& @asp/aspx测试成功:) J) F. o I6 O6 X2 ^
来到/FCKeditor/editor/filemanager/connectors/test.html
" \7 x% f; S* R! @因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
e7 x$ b! ^5 d6 y, |2 h: [, w3 H ^, B9 _7 i2 r" R
burpsuite上传包并修改,repeater
+ Z, N( E# R* `" F, g$ E5 @. m4 m; D名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
{4 Z0 u2 H* M5 B, Y& \8 M
5 P2 Y+ ^9 K. S t! d: \如图,webshell为:http://localhost/userfiles/file/asd(1).asp
" e4 D3 y1 b; n9 b7 ^- O
- ?7 R6 F8 w* v2 G |
发表于 2012-12-10 10:18:50
收藏
支持
反对