exploiut-db:* l) G6 z, J! {$ J9 @8 s% {
2 {; i: C% K+ ? g- w5 gFCKEditor ASP Version 2.6.8 File Upload Protection Bypass1 {1 a8 n ?4 E @8 M
0 y; Z2 p$ c$ R* P3 {- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
P0 q% d# |' ~) j- Credit goes to: Mostafa Azizi, Soroush Dalili+ s$ e" g8 C/ X2 I# O
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/+ K5 N2 ?, m8 D4 p _
- Description:) Y$ I% o: X: m/ N# Z
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
/ D: P* t( z9 Jdealing with the duplicate files. As a result, it is possible to bypass' T" i. J& N k) ~4 m
the protection and upload a file with any extension.
& J6 o: a2 u% O- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/% K( V+ A9 U1 i0 v9 e% T
- Solution: Please check the provided reference or the vendor website.
; U5 j1 W. ~/ Q3 T3 U8 C- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
/ c; w0 P! s# ]# Y6 [6 a"8 F5 q. @& @- g, |7 X
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:; x5 S2 ? E Q" s$ ~6 Q( y1 |
In “config.asp”, wherever you have:
7 y/ T$ Z. ~! z3 y" n ConfigAllowedExtensions.Add “File”,”Extensions Here”
; d8 X3 C0 C" s6 n& U2 I$ lChange it to:
1 b9 l; B5 k- E2 J ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”5 Z0 c0 A" p8 ~7 B, l+ H
. v; S, c2 A# E ^ ! j7 k0 t5 b; g- U9 e
) E0 ^$ Q6 D, C0 ~' r 7 ?; a) J/ U. g8 e8 I% n
+ e& Y, U5 n6 {/ O" S6 ^9 ephp测试无效
6 A& E# k0 E: n8 C* g! A; ]4 Sasp/aspx测试成功:
2 l6 N5 l: k* r) l8 H来到/FCKeditor/editor/filemanager/connectors/test.html9 ~7 l, ]1 B1 W. n: e! h
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
S$ U1 e: R b4 U8 u/ y0 b
, @5 U Y$ z, X% Nburpsuite上传包并修改,repeater: h' X# |3 a( g4 \0 A; j0 G1 f, P$ M. f
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp: Q' w6 O" _+ s
# P! l& N n$ t" B" J5 f$ F如图,webshell为:http://localhost/userfiles/file/asd(1).asp2 }1 U# E) R. M* H; D
3 K \2 j2 m" u. h |