exploiut-db:8 f2 d. U, s: g; d8 M
$ E7 X" N" R& x4 I( E# U l/ UFCKEditor ASP Version 2.6.8 File Upload Protection Bypass/ W. O, x: V7 A T$ k1 I7 q
; y4 a7 q8 F/ j7 ]" o/ f- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass* U6 V6 y0 }! Z' U5 o& \
- Credit goes to: Mostafa Azizi, Soroush Dalili' w% M% I2 k& [- W- n* M
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor// i. [$ k+ d0 q
- Description:
" S, F, K% s# D+ _% r+ ZThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
! r9 I% q ]5 }% t8 }( _( `dealing with the duplicate files. As a result, it is possible to bypass
) F% p: c) R3 Lthe protection and upload a file with any extension.
' C/ |" I- r! R2 k- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
3 O8 D$ P3 Z: i: T- Solution: Please check the provided reference or the vendor website.
: F& d5 m" j' \6 J9 g1 K7 _- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
" Z2 c% w; C3 k4 c; r"" m5 u' O0 d: ^; d
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
6 j3 T" A& _& K2 ]2 i) UIn “config.asp”, wherever you have:
" s- S h$ N) u. n ConfigAllowedExtensions.Add “File”,”Extensions Here”8 |6 r( \% `0 l- L5 A
Change it to:
7 f6 O; R& H* V4 ^! w# c ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
t2 X; W' m1 d' _3 t+ r S" m8 Y2 b l8 s, \6 `: s0 F
X: S5 y; g$ v+ }
; \, I& |- I$ f3 _$ E
2 z; `! `+ X! r- s# L4 x) T3 C4 v; a" Z9 H, {: }
php测试无效 i# x% N) Y0 {8 {
asp/aspx测试成功:
R, y# w' p7 Z来到/FCKeditor/editor/filemanager/connectors/test.html
: G) h1 l! Q9 W/ Q. ?因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
7 }6 T {$ @* f
3 {4 k( M2 u& \burpsuite上传包并修改,repeater
3 @2 b, o9 j1 A4 I+ b/ V( B! y9 [名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
) o2 a7 v, _" N! r( s
& R0 l# F5 g1 m% l* `9 \2 d如图,webshell为:http://localhost/userfiles/file/asd(1).asp8 d) k" N ?* c' o
' w3 K% A7 l6 D% A: t |
发表于 2012-12-10 10:18:50
收藏
支持
反对