最新FCKEditor ASP上传绕过漏洞

admin

exploiut-db：

. p3 V  G/ @* S4 X  k% _- WFCKEditor ASP Version 2.6.8 File Upload Protection Bypass

- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
5 D  e. M7 w! s. M& g- Credit goes to: Mostafa Azizi, Soroush Dalili
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
- Description:
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
5 ^7 m# d- W  M9 x5 x! sdealing with the duplicate files. As a result, it is possible to bypass
the protection and upload a file with any extension.
6 D# K) e5 R) q/ W4 Y- z- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
- Solution: Please check the provided reference or the vendor website.
. H/ w( R2 z' s0 P% s- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
"
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
  j: g. @  x. m7 ?8 N6 A( VIn “config.asp”, wherever you have:
) a% N, U7 r0 x/ c      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
; e( L: C$ T9 m1 V  {! `* oChange it to:
      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”
# b. s* n9 y; ~$ D/ R
/ I# g, Z  z; Y  t) c) j
% W3 m6 d9 y* i- E% c
) ^$ t) y3 M# m$ x7 ~* a2 ^
% D* x1 o3 t0 r/ Y7 u, {
: `# ?5 D  N2 O8 B* o/ Rphp测试无效
4 k" i% ^. i: T" K4 j6 easp/aspx测试成功：
# G! b& {7 ?6 H8 T( w来到/FCKeditor/editor/filemanager/connectors/test.html
因为结合了之前二次上传的漏洞，所以先上传任意内容的文件：asd.asp.txt

burpsuite上传包并修改，repeater
/ E: \0 E& K: D3 ?名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp
- m# h* b* T5 h: v. u- ?5 r
如图，webshell为：http://localhost/userfiles/file/asd(1).asp
7 J: T! v8 w6 ~5 l
. H, [2 h# O% k% C/ l8 J- L