exploiut-db:7 D/ S! q& T6 W+ b. w
1 M" t" \$ ~+ C4 h: ~$ hFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
: x7 t8 j) V+ Y/ w9 P
# X* r9 V/ Z6 o: t/ C- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass0 {3 b- [' d$ C, v% V+ |* M7 h
- Credit goes to: Mostafa Azizi, Soroush Dalili
$ z) N8 B1 T5 r' R# a; ^- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
/ ], o4 N" f! P5 h% c1 _6 O- Description:7 O8 ~' R6 a( ?% _) c/ W
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is7 a8 _0 s9 E5 X7 l' F
dealing with the duplicate files. As a result, it is possible to bypass1 C" y! {: s* v
the protection and upload a file with any extension.
% r' ^9 i$ p; ^. l1 _# G8 H( w- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/' r, R1 v& I$ V% k% i. K9 _
- Solution: Please check the provided reference or the vendor website.8 Q/ ]3 U2 R. y5 i* H
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
% j" r$ R3 U' v, Z6 `# T"
9 E+ P0 {( ^% c2 ^' y+ tNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:! y4 u8 _5 L' u& ?5 h
In “config.asp”, wherever you have:
* N% D4 ]% f# g9 R6 u" D C2 O ConfigAllowedExtensions.Add “File”,”Extensions Here”; R- G+ L' \( n2 f6 T( E: _
Change it to:* k8 b. \( ]( \; @/ P
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”; N7 O3 Y7 }, {2 ~ j6 V
: `3 u2 Q( Z* i& g$ `7 f
& {( ^% J$ w J k' U
- y7 r0 v4 B) q# P* r& T! z' n 2 Q8 }* G/ l- b! c
1 ^! {0 W9 J; C+ @php测试无效) e2 U: x0 [6 v0 t
asp/aspx测试成功:! y$ y7 U) P8 l9 {) R- y3 v7 Q
来到/FCKeditor/editor/filemanager/connectors/test.html( R& c4 `, ^$ [6 T3 G+ Z) |. m$ v
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
2 @' ], ]6 {1 Y$ f4 M# i' r9 V
! k+ A9 {7 m% q" G* k# H. hburpsuite上传包并修改,repeater* |7 x9 t- v- g' H2 Y2 [
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
- x* M; F% R* W$ q* O" k/ X& n- B% J V
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
2 T4 e. \- ?4 ~' p6 G8 e( w, U+ M8 r( y$ l
|
发表于 2012-12-10 10:18:50
收藏
支持
反对