exploiut-db: ]- ~/ ]: U% J* j; `" L1 ]6 i U
! m7 u6 D# g* o
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass) S: w6 E. X |, e ^
' y$ F1 r6 `# F' e e8 B) s
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
' j7 N6 [* q5 ]5 U9 h) t3 ^- Credit goes to: Mostafa Azizi, Soroush Dalili
7 L. \ h# \5 m, O- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
1 ]4 {- m- ^$ e! C4 R5 Z, I$ [3 T- Description:
2 M# @6 z% ? x9 D7 O1 YThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is! o9 w# k* |2 s! `6 }+ U, J- \
dealing with the duplicate files. As a result, it is possible to bypass T) d% m3 t: v, C
the protection and upload a file with any extension.2 X9 f# B/ T* S% N0 @
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/# i1 T* n, W: K% ]. E. q5 z
- Solution: Please check the provided reference or the vendor website.
$ I* F* Q$ @! p! p- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
4 l$ i% f' y& a; k8 y7 m"
. N" U& r6 G0 J) |9 mNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass: Y7 c" d* A/ t! {* o* n
In “config.asp”, wherever you have:
3 W( g3 b, V9 V) Y7 s1 [' L ConfigAllowedExtensions.Add “File”,”Extensions Here”$ {2 S. U4 A5 ?- p; b# f0 z( g3 ?
Change it to:
. u- s* M7 L) Y; C3 y3 [ ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”; |, \9 ~) @5 ?! S8 X
' ]" C! c# I; B& X
9 V- c h s" B" b
% v) H4 Y B' g% e
) c. i/ G2 S& Y& r9 L5 \* @' B% k# p) d; W: ~" q+ l
php测试无效+ l* I0 k/ q' K! i4 w4 Y
asp/aspx测试成功:4 ^; S7 q$ v* K& Q- g! N
来到/FCKeditor/editor/filemanager/connectors/test.html, i+ @( F8 ?4 S- J
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt; x( q& w. P6 q/ |0 V5 `( j9 x" K
! ]3 t c. w" R3 E7 xburpsuite上传包并修改,repeater0 v4 _2 K% V0 }* |8 k* |8 j9 g
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp8 I/ O$ o6 K" e# T) ~6 o
& i8 p) O& @! }# O: v3 \' P如图,webshell为:http://localhost/userfiles/file/asd(1).asp
) j: ?2 c: p3 ~, m, E& J {8 a* V% h5 {' x: X9 m; b
|
发表于 2012-12-10 10:18:50
收藏
支持
反对