exploiut-db:) A/ B$ L" v0 \, W' Z
t! N) X/ e2 S. cFCKEditor ASP Version 2.6.8 File Upload Protection Bypass2 x# b0 w; z8 E9 l3 X! g: X
! l2 l* {4 k: t- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass) i @8 R9 k1 ~9 [
- Credit goes to: Mostafa Azizi, Soroush Dalili
2 s+ u9 }2 b( e8 V" C+ x- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/4 Y O5 @- K& f3 G
- Description:
% i& X$ t0 R \- c9 o( [There is no validation on the extensions when FCKEditor 2.6.8 ASP version is3 P/ I: r+ x6 E e' t& d# _
dealing with the duplicate files. As a result, it is possible to bypass
: G2 _; O- u4 Ithe protection and upload a file with any extension.
. U* P3 H0 k( \1 s- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/7 `, y8 f1 y h% }' u2 u `; k/ E) P
- Solution: Please check the provided reference or the vendor website.
/ ]1 s5 U1 _: v3 ~' O- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720* {7 L, e" c& ^' T; E
"
! w: u) t' T" R/ }Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
# @7 s8 E, A) x/ E4 E8 CIn “config.asp”, wherever you have:
; q! G! [$ l# {3 W% ?- b7 L# C# J1 P ConfigAllowedExtensions.Add “File”,”Extensions Here”
& U& G$ m4 ]+ t7 kChange it to:
+ W; |1 t" X# M* I" x ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
% H% h4 o5 @" l7 a( B- J O" g- S" O/ }8 F7 J3 D4 L6 p
+ H2 R+ g' j$ K/ O& _5 Y6 B
" U8 z5 ]1 c3 ?3 }$ V/ b8 T" X
. _( K* D# s1 h: H" m
' X+ U6 Q3 p6 `( Rphp测试无效
8 K' i' v2 p. vasp/aspx测试成功: H0 h% K7 t/ o3 V5 o. U" G1 b/ d
来到/FCKeditor/editor/filemanager/connectors/test.html E' v, N7 X1 n( o6 X* N
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt1 K6 c0 y4 ~" Z
7 o- r) q( `1 b6 {2 Q* p
burpsuite上传包并修改,repeater
. O/ d4 E" h. t; q/ {名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp: u( A& T0 D8 s8 ~' u7 u/ ^ y
0 k* L' D) W/ A$ A& d$ H
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
7 U7 w+ w- s; b' E% T" _( ~5 P9 V, U" j) E% V9 V( q
|
发表于 2012-12-10 10:18:50
收藏
支持
反对