exploiut-db: B j$ ~* } M1 R2 T
U, P2 Y. ?: y {3 {. d0 p# ^FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
( v$ Q6 b5 h% j( }) m E4 \
$ ?# N `% w. z6 S2 x- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
+ n, k |# z' B j' V- Credit goes to: Mostafa Azizi, Soroush Dalili4 q' G) L+ L* B) q8 M
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
. O j& R' M N7 A- Description:( c& T! e5 D* d1 c
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is+ [8 @0 _4 D0 K
dealing with the duplicate files. As a result, it is possible to bypass, x4 y( {6 A. \6 h" ]
the protection and upload a file with any extension.
1 d8 s8 W+ b* m; g- n4 m3 s+ G- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/% D" z! a/ g5 a+ D+ f9 c- z
- Solution: Please check the provided reference or the vendor website.
; U7 U! k7 e6 M- q% O/ H- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720* M: H3 b: U+ X$ d+ |
"
\. G0 T0 Y6 r m# O1 ]) [Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:* ~( Z7 [4 Q9 p
In “config.asp”, wherever you have:
" d5 A+ `! b" k+ b; D3 |( j ConfigAllowedExtensions.Add “File”,”Extensions Here”
# k( x B8 S: Z" N6 K; F0 J: IChange it to:( d! H8 N. _7 d
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”# U3 i4 y* m- G& ]" n
% H( n5 m4 t: P% O0 t' v3 U5 A Z
/ l! @; V4 h6 ]1 |7 v; w+ E. s5 F9 M$ w+ V$ u% {" v
$ G {6 I/ ]$ S" z
9 `3 O! Y& B `' s2 k/ Q
php测试无效
2 K& P: Z- M2 I; [# Lasp/aspx测试成功:
7 M! W1 W6 Z" i来到/FCKeditor/editor/filemanager/connectors/test.html" {; c$ C6 |; T$ v' X" h
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
9 z! D! s$ b, g0 {6 B' ?
1 b7 r R; m* r1 Y6 Y* Xburpsuite上传包并修改,repeater
( `& G! g. k3 E" O! C名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
. D/ I' @4 E( R" F2 z3 K( x V2 O% V" W/ d* K
如图,webshell为:http://localhost/userfiles/file/asd(1).asp* W8 B7 d5 i0 m1 k7 @: e4 i5 m$ G. h
# Y$ a* ^4 c( ^. z% S
|
发表于 2012-12-10 10:18:50
收藏
支持
反对