exploiut-db:
6 }- K3 b. s1 k5 k$ e
. @% W, O' g4 H$ {) A* y$ u4 ^( l/ LFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
" j$ J2 U9 p8 @/ s3 T3 F4 X/ m1 J- U$ R# d; E' `
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
- L. P' Y" f* z8 R, i4 p S( P- Credit goes to: Mostafa Azizi, Soroush Dalili1 Q- d$ M) H9 t- P! s
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/3 v* r& r; D* l- f$ v3 |/ S
- Description:
. E/ g- u. m$ s: ` b. XThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is& I2 _7 U' C6 R) _; Q+ ~7 W
dealing with the duplicate files. As a result, it is possible to bypass M$ P* T. o" d5 c6 x1 b. [
the protection and upload a file with any extension.
0 L& Y. S: S7 w+ z+ \9 \8 \- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
7 @7 L6 I k# H- Solution: Please check the provided reference or the vendor website.
) D7 M( F) ]# T# @6 e. W- r- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
( \6 Z) t9 i. I. {2 `"
8 a# R$ j7 j" G; iNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:$ j5 Z: h) T- Y% G& S- Z
In “config.asp”, wherever you have:( p6 `- v5 Q" U, E5 }6 _0 L; G
ConfigAllowedExtensions.Add “File”,”Extensions Here”: |6 g' _2 X6 z7 q$ N
Change it to:
! ^7 g8 @ w4 u9 L j ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
" I+ Q5 L/ d/ x( O# W$ E( w' a* J1 [4 `' g; \2 R: A
3 \' E: I- N. ~; |* k$ ~, B3 O \0 z) v4 q, ]2 Z7 B
( F" n2 e+ T6 N
. m! ]: |. ]; ?" q: P' vphp测试无效, \2 N/ Y; Z- K8 u6 B- L" T
asp/aspx测试成功:( N6 H3 Q" j5 N0 l) Q; B; U
来到/FCKeditor/editor/filemanager/connectors/test.html( g) w1 v& q) k3 o% ^2 G
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
) m) ^& P' q( x! X% v* \
/ h- }+ L+ b( @% g( V4 Qburpsuite上传包并修改,repeater
: [3 _( k* B: A7 Q# v" E+ ^名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
, S1 W6 V u a2 k e* @
, C- Z$ ^$ }: v- x1 z+ N( `如图,webshell为:http://localhost/userfiles/file/asd(1).asp4 a4 s" M0 z7 V% \" v- X# }3 R
, `9 y) Q! O. } B1 ` |
发表于 2012-12-10 10:18:50
收藏
支持
反对