找回密码
 立即注册
查看: 2524|回复: 0
打印 上一主题 下一主题

最新FCKEditor ASP上传绕过漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-10 10:18:50 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
exploiut-db:8 f2 d. U, s: g; d8 M

$ E7 X" N" R& x4 I( E# U  l/ UFCKEditor ASP Version 2.6.8 File Upload Protection Bypass/ W. O, x: V7 A  T$ k1 I7 q

; y4 a7 q8 F/ j7 ]" o/ f- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass* U6 V6 y0 }! Z' U5 o& \
- Credit goes to: Mostafa Azizi, Soroush Dalili' w% M% I2 k& [- W- n* M
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor// i. [$ k+ d0 q
- Description:
" S, F, K% s# D+ _% r+ ZThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
! r9 I% q  ]5 }% t8 }( _( `dealing with the duplicate files. As a result, it is possible to bypass
) F% p: c) R3 Lthe protection and upload a file with any extension.
' C/ |" I- r! R2 k- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
3 O8 D$ P3 Z: i: T- Solution: Please check the provided reference or the vendor website.
: F& d5 m" j' \6 J9 g1 K7 _- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
" Z2 c% w; C3 k4 c; r"" m5 u' O0 d: ^; d
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
6 j3 T" A& _& K2 ]2 i) UIn “config.asp”, wherever you have:
" s- S  h$ N) u. n      ConfigAllowedExtensions.Add    “File”,”Extensions Here”8 |6 r( \% `0 l- L5 A
Change it to:
7 f6 O; R& H* V4 ^! w# c      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”
  t2 X; W' m1 d' _3 t+ r  S" m8 Y2 b  l8 s, \6 `: s0 F
  X: S5 y; g$ v+ }

; \, I& |- I$ f3 _$ E
2 z; `! `+ X! r- s# L4 x) T3 C4 v; a" Z9 H, {: }
php测试无效  i# x% N) Y0 {8 {
asp/aspx测试成功:
  R, y# w' p7 Z来到/FCKeditor/editor/filemanager/connectors/test.html
: G) h1 l! Q9 W/ Q. ?因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
7 }6 T  {$ @* f
3 {4 k( M2 u& \burpsuite上传包并修改,repeater
3 @2 b, o9 j1 A4 I+ b/ V( B! y9 [名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp
) o2 a7 v, _" N! r( s
& R0 l# F5 g1 m% l* `9 \2 d如图,webshell为:http://localhost/userfiles/file/asd(1).asp8 d) k" N  ?* c' o

' w3 K% A7 l6 D% A: t
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表