exploiut-db:
7 _' x5 K; ]" z+ T* y0 u0 }
5 G' R4 r: `4 k) QFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
1 G1 \8 e; v6 S* j7 {: X" O- H C) E+ u' ^- b: j
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
: X R8 r2 P6 Z3 F ]! V- Credit goes to: Mostafa Azizi, Soroush Dalili
& x+ J; f* }7 i& `0 g8 J O- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/( S8 Z1 Z& T* j! ~& ?
- Description:
2 c, o V, B1 KThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
2 J; ` l# g' a! n! ?; @5 I/ I/ Kdealing with the duplicate files. As a result, it is possible to bypass
M$ \. E5 o) r: o; Z4 e; tthe protection and upload a file with any extension.
2 I ~) U/ `! M- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/$ Y! b1 g( v: V4 @. {$ E+ ^% v; {
- Solution: Please check the provided reference or the vendor website.
- n) G T1 h' {- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
- C6 ]* J8 E+ e" v( N; D# |5 x"
1 d4 Q& U" j$ K q+ A5 gNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:# V4 [2 T8 g; v
In “config.asp”, wherever you have:
! E E6 M: S$ e4 O: e, O) B ConfigAllowedExtensions.Add “File”,”Extensions Here”0 x- l& b3 } [6 x0 k: |5 M
Change it to:
9 }' Q [3 {6 N+ D3 Y4 i' | ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
/ U1 I* W) u) ~" f
7 x R7 c- g, a* g$ K
. [/ f' R) f/ D9 E$ z) W h: \, c7 Y2 c$ [
, o$ r! D5 J! o- V8 a
2 d6 N% [9 g# M$ b F
php测试无效
, [4 K0 i2 [" z: ]asp/aspx测试成功:" ~% w; c4 G) _' b
来到/FCKeditor/editor/filemanager/connectors/test.html; X, x" o* h2 i ]# O. t5 J% P
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
9 C, k e$ f u+ r* o; X: @1 J1 o! d! s& w3 v5 B
burpsuite上传包并修改,repeater }6 U5 d; o" l- p+ M
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
+ T/ X$ H: Z. Q8 R# F/ f/ ]- D* _+ l# P: Z8 A/ p5 ]
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
' j6 y R2 L1 _- P, U
/ b" J8 L7 T# z |
发表于 2012-12-10 10:18:50
收藏
支持
反对