找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2237|回复: 0
打印 上一主题 下一主题

最新FCKEditor ASP上传绕过漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-10 10:18:50 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
exploiut-db:  ]- ~/ ]: U% J* j; `" L1 ]6 i  U
! m7 u6 D# g* o
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass) S: w6 E. X  |, e  ^
' y$ F1 r6 `# F' e  e8 B) s
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
' j7 N6 [* q5 ]5 U9 h) t3 ^- Credit goes to: Mostafa Azizi, Soroush Dalili
7 L. \  h# \5 m, O- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
1 ]4 {- m- ^$ e! C4 R5 Z, I$ [3 T- Description:
2 M# @6 z% ?  x9 D7 O1 YThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is! o9 w# k* |2 s! `6 }+ U, J- \
dealing with the duplicate files. As a result, it is possible to bypass  T) d% m3 t: v, C
the protection and upload a file with any extension.2 X9 f# B/ T* S% N0 @
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/# i1 T* n, W: K% ]. E. q5 z
- Solution: Please check the provided reference or the vendor website.
$ I* F* Q$ @! p! p- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
4 l$ i% f' y& a; k8 y7 m"
. N" U& r6 G0 J) |9 mNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:  Y7 c" d* A/ t! {* o* n
In “config.asp”, wherever you have:
3 W( g3 b, V9 V) Y7 s1 [' L      ConfigAllowedExtensions.Add    “File”,”Extensions Here”$ {2 S. U4 A5 ?- p; b# f0 z( g3 ?
Change it to:
. u- s* M7 L) Y; C3 y3 [      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”; |, \9 ~) @5 ?! S8 X

' ]" C! c# I; B& X
9 V- c  h  s" B" b
% v) H4 Y  B' g% e
) c. i/ G2 S& Y& r9 L5 \* @' B% k# p) d; W: ~" q+ l
php测试无效+ l* I0 k/ q' K! i4 w4 Y
asp/aspx测试成功:4 ^; S7 q$ v* K& Q- g! N
来到/FCKeditor/editor/filemanager/connectors/test.html, i+ @( F8 ?4 S- J
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt; x( q& w. P6 q/ |0 V5 `( j9 x" K

! ]3 t  c. w" R3 E7 xburpsuite上传包并修改,repeater0 v4 _2 K% V0 }* |8 k* |8 j9 g
名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp8 I/ O$ o6 K" e# T) ~6 o

& i8 p) O& @! }# O: v3 \' P如图,webshell为:http://localhost/userfiles/file/asd(1).asp
) j: ?2 c: p3 ~, m, E& J  {8 a* V% h5 {' x: X9 m; b
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表