最新FCKEditor ASP上传绕过漏洞

admin

exploiut-db：

FCKEditor ASP Version 2.6.8 File Upload Protection Bypass

- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
. ?9 C) s9 V, G9 a$ E  R! M$ T- Credit goes to: Mostafa Azizi, Soroush Dalili
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
( ?$ k0 q# v1 @) S, g- Description:
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
- a% c7 C) l2 V' xdealing with the duplicate files. As a result, it is possible to bypass
' I* ?6 K9 S5 P' V5 O; o' H! Lthe protection and upload a file with any extension.
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
- Solution: Please check the provided reference or the vendor website.
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
"
+ }5 [* A  F5 p3 G+ M8 ^% T3 w" |9 Z, RNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
In “config.asp”, wherever you have:
% O: ~- ^, ]) d0 S/ L7 d5 ]% z      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
Change it to:
; D0 N" U# K- n( g      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”

8 T% o( E' {( u# L" w- W

/ M9 D. J! w- j: g) n3 }) r
3 r: U+ u+ a6 q/ Y
php测试无效
asp/aspx测试成功：
来到/FCKeditor/editor/filemanager/connectors/test.html
4 s* Y; U- X$ I! [/ k8 t因为结合了之前二次上传的漏洞，所以先上传任意内容的文件：asd.asp.txt

! u+ h' h3 t6 a1 \+ m9 M/ }0 m# e( Wburpsuite上传包并修改，repeater
名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp

9 D6 o% N% B; H3 w6 B如图，webshell为：http://localhost/userfiles/file/asd(1).asp
% P! O  |- x) |; P0 |