找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2244|回复: 0
打印 上一主题 下一主题

最新FCKEditor ASP上传绕过漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-10 10:18:50 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
exploiut-db:  B  j$ ~* }  M1 R2 T

  U, P2 Y. ?: y  {3 {. d0 p# ^FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
( v$ Q6 b5 h% j( }) m  E4 \
$ ?# N  `% w. z6 S2 x- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
+ n, k  |# z' B  j' V- Credit goes to: Mostafa Azizi, Soroush Dalili4 q' G) L+ L* B) q8 M
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
. O  j& R' M  N7 A- Description:( c& T! e5 D* d1 c
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is+ [8 @0 _4 D0 K
dealing with the duplicate files. As a result, it is possible to bypass, x4 y( {6 A. \6 h" ]
the protection and upload a file with any extension.
1 d8 s8 W+ b* m; g- n4 m3 s+ G- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/% D" z! a/ g5 a+ D+ f9 c- z
- Solution: Please check the provided reference or the vendor website.
; U7 U! k7 e6 M- q% O/ H- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720* M: H3 b: U+ X$ d+ |
"
  \. G0 T0 Y6 r  m# O1 ]) [Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:* ~( Z7 [4 Q9 p
In “config.asp”, wherever you have:
" d5 A+ `! b" k+ b; D3 |( j      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
# k( x  B8 S: Z" N6 K; F0 J: IChange it to:( d! H8 N. _7 d
      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”# U3 i4 y* m- G& ]" n
% H( n5 m4 t: P% O0 t' v3 U5 A  Z

/ l! @; V4 h6 ]1 |7 v; w+ E. s5 F9 M$ w+ V$ u% {" v
$ G  {6 I/ ]$ S" z
9 `3 O! Y& B  `' s2 k/ Q
php测试无效
2 K& P: Z- M2 I; [# Lasp/aspx测试成功:
7 M! W1 W6 Z" i来到/FCKeditor/editor/filemanager/connectors/test.html" {; c$ C6 |; T$ v' X" h
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
9 z! D! s$ b, g0 {6 B' ?
1 b7 r  R; m* r1 Y6 Y* Xburpsuite上传包并修改,repeater
( `& G! g. k3 E" O! C名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp
. D/ I' @4 E( R" F2 z3 K( x  V2 O% V" W/ d* K
如图,webshell为:http://localhost/userfiles/file/asd(1).asp* W8 B7 d5 i0 m1 k7 @: e4 i5 m$ G. h
# Y$ a* ^4 c( ^. z% S
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表