找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2732|回复: 0
打印 上一主题 下一主题

最新FCKEditor ASP上传绕过漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-10 10:18:50 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
exploiut-db:* l) G6 z, J! {$ J9 @8 s% {

2 {; i: C% K+ ?  g- w5 gFCKEditor ASP Version 2.6.8 File Upload Protection Bypass1 {1 a8 n  ?4 E  @8 M

0 y; Z2 p$ c$ R* P3 {- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
  P0 q% d# |' ~) j- Credit goes to: Mostafa Azizi, Soroush Dalili+ s$ e" g8 C/ X2 I# O
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/+ K5 N2 ?, m8 D4 p  _
- Description:) Y$ I% o: X: m/ N# Z
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
/ D: P* t( z9 Jdealing with the duplicate files. As a result, it is possible to bypass' T" i. J& N  k) ~4 m
the protection and upload a file with any extension.
& J6 o: a2 u% O- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/% K( V+ A9 U1 i0 v9 e% T
- Solution: Please check the provided reference or the vendor website.
; U5 j1 W. ~/ Q3 T3 U8 C- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
/ c; w0 P! s# ]# Y6 [6 a"8 F5 q. @& @- g, |7 X
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:; x5 S2 ?  E  Q" s$ ~6 Q( y1 |
In “config.asp”, wherever you have:
7 y/ T$ Z. ~! z3 y" n      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
; d8 X3 C0 C" s6 n& U2 I$ lChange it to:
1 b9 l; B5 k- E2 J      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”5 Z0 c0 A" p8 ~7 B, l+ H

. v; S, c2 A# E  ^ ! j7 k0 t5 b; g- U9 e

) E0 ^$ Q6 D, C0 ~' r 7 ?; a) J/ U. g8 e8 I% n

+ e& Y, U5 n6 {/ O" S6 ^9 ephp测试无效
6 A& E# k0 E: n8 C* g! A; ]4 Sasp/aspx测试成功:
2 l6 N5 l: k* r) l8 H来到/FCKeditor/editor/filemanager/connectors/test.html9 ~7 l, ]1 B1 W. n: e! h
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
  S$ U1 e: R  b4 U8 u/ y0 b
, @5 U  Y$ z, X% Nburpsuite上传包并修改,repeater: h' X# |3 a( g4 \0 A; j0 G1 f, P$ M. f
名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp: Q' w6 O" _+ s

# P! l& N  n$ t" B" J5 f$ F如图,webshell为:http://localhost/userfiles/file/asd(1).asp2 }1 U# E) R. M* H; D

3 K  \2 j2 m" u. h
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表