exploiut-db:7 ^7 V ]" w0 w1 y& F1 L, F8 R
( d, x( p* S" M3 W4 o' u+ v; V) K
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
7 B) t" X7 t% ~7 u& Y* R
" {6 ^9 n3 d, c2 J; U( C- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass# r; P% ?, ?' \
- Credit goes to: Mostafa Azizi, Soroush Dalili
9 T! k$ O. y- X- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
" `6 F8 m) @, Z0 O- Description:
0 d/ `+ c6 M `2 N5 a; f6 qThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is6 ~7 l% N4 h4 u8 W
dealing with the duplicate files. As a result, it is possible to bypass
+ @; D# B1 E' s6 I4 Cthe protection and upload a file with any extension.
8 f: l2 q @4 V% N+ D" p W- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
' s8 w P- |* u8 t; p; a$ M- Solution: Please check the provided reference or the vendor website.5 x0 l% N" j( ~0 {/ G
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720( p, P2 y- w9 s \
"
) j/ t* j/ e9 D( pNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:3 o7 Q, Y( ^4 Z% m+ r
In “config.asp”, wherever you have:
6 c6 w% g* M1 G$ }- g" Q, ? ConfigAllowedExtensions.Add “File”,”Extensions Here”
, H8 J4 Z5 k. `$ a% [1 P# u4 W8 KChange it to:9 X8 M+ f) B6 i
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
: h$ h7 W: x4 q
. A4 \4 E2 @: V" o8 z$ ] $ D! Q Q: J" {
3 y3 `+ }3 J5 A) t8 t2 [
8 ?0 a/ _' T7 k8 {# p9 I5 f/ d; F$ T5 W; L' {9 L
php测试无效
$ v* Q4 _ o4 A# Z- M! n3 p! Qasp/aspx测试成功:" L3 g8 L7 c! `. i. ] }
来到/FCKeditor/editor/filemanager/connectors/test.html
0 x" l6 z5 V w) e3 E4 }因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt9 u/ t/ e- v. y7 L( S
. F9 I5 k6 P; H/ e
burpsuite上传包并修改,repeater
/ w! J! L" E& F7 E1 R7 ~. s* H( W名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp4 c3 t: R: i. r$ @+ p0 `5 H6 w
) }# J5 ?' `: n4 ^, N% k如图,webshell为:http://localhost/userfiles/file/asd(1).asp
4 {2 `5 y: F) H7 h F6 _0 E
( [5 c9 p* }6 C8 w- j$ X |
发表于 2012-12-10 10:18:50
收藏
支持
反对