exploiut-db:- T3 x" f0 k8 ]
( X+ w( J5 c; G/ w, j' g5 Q* v2 d
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
" q) ]/ f# e/ f8 U+ ^" x9 P' s5 [' O+ ^! M6 e6 _
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass/ |5 v( M2 t3 I6 h% p7 Y
- Credit goes to: Mostafa Azizi, Soroush Dalili, h: u8 J! N- N8 Y! B: `4 T
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
2 P" ]* H0 q! F- Description:8 j( M" s* ]. I8 \1 t* }' U
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is; a5 t2 b: p/ S4 I! K, g7 S
dealing with the duplicate files. As a result, it is possible to bypass
& ~+ s( ~4 a5 Y! R( Qthe protection and upload a file with any extension.; g. m% C8 ^! ?$ J1 n( r
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
}: U! R7 n! \- ~; n- Solution: Please check the provided reference or the vendor website.
' [: K5 u- F& N# P' @! Y- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720" K5 M+ Z- \' b0 }8 U* o2 h9 ]$ s
"
5 b. }1 t3 i4 e& s' ~# uNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
$ I+ R ~* E: J: jIn “config.asp”, wherever you have:/ U1 Z, }; `, J9 I1 n8 @$ O0 c( q
ConfigAllowedExtensions.Add “File”,”Extensions Here”
7 O+ q W$ [/ T2 m8 B: g* hChange it to:
# i. R4 L' r9 L/ R% M ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”) i1 H9 n/ s- I: U+ \# c
1 g; S- V4 W7 `5 J r4 m( |/ U
8 e0 `+ {/ j @& k7 c3 |( X7 R
2 N/ D" q# x. n$ v# ?
# y* s! P( [! n& J" D% p
- x$ z" r o- b Uphp测试无效" e) \5 V' ^/ m- G, k
asp/aspx测试成功:& E1 ?$ C3 J- m7 L8 f6 j
来到/FCKeditor/editor/filemanager/connectors/test.html
9 Z0 W& }* Q& |9 T0 K因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt$ y" a# {8 Q0 C" E1 r) L1 A
) |& c% v' S. m0 Eburpsuite上传包并修改,repeater. L5 t9 C$ z; X# \9 _
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp+ L4 k/ \% H; n ?, b3 w
P2 }. ?& n$ M# e- h" g5 `如图,webshell为:http://localhost/userfiles/file/asd(1).asp/ G' D- f" X5 @' v1 g% W
( \( l& f3 D6 _1 ? p: m( N3 r |