exploiut-db:" @- n3 b( }) \* [0 Q
- T# F8 c. u* {4 h& B4 kFCKEditor ASP Version 2.6.8 File Upload Protection Bypass! V4 P6 {/ O' C+ A
Q2 y" E( K; l' A$ p# q8 \, L
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass9 q. C" l, M2 R0 g: U
- Credit goes to: Mostafa Azizi, Soroush Dalili) B/ x$ O3 N0 \
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
/ Q) t4 g% t; |$ p+ W& l- Description:
4 w2 m8 s5 \7 h0 fThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
; e8 k3 a! ]3 ldealing with the duplicate files. As a result, it is possible to bypass6 A$ H" P- ?: h4 W U; |$ Y# D" F
the protection and upload a file with any extension.
0 I( H8 @: X/ w X6 h- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
- U8 l( u- p1 U4 v9 z. w- Solution: Please check the provided reference or the vendor website.
% r5 r% J4 b1 m% f; e- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720" x( I4 O L3 o# x# y8 R3 ^
"
$ l# X8 d8 F! I q* LNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
% T' \8 n& H$ o1 _/ c+ kIn “config.asp”, wherever you have:
5 U. _3 b2 n- M! A0 i2 F8 \4 k ConfigAllowedExtensions.Add “File”,”Extensions Here”
% k" [% P% n& X* n. D. k4 P8 N. }Change it to:- m! V% G( v6 i5 N7 K3 a! p
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”: q/ S2 ]! R& Z# Q# G
* Z0 l) i1 M/ W1 J" ?, @ + z: X E# C+ |8 K. n
# q* R. x0 S5 \: B" C
& l- L' t: `0 c/ D: N9 I5 U: X! G
php测试无效9 t |) ]( y# V) j* O" s
asp/aspx测试成功:
$ k+ Z$ t+ T: c& |! H; L; d- `7 r/ H来到/FCKeditor/editor/filemanager/connectors/test.html) S9 F$ q) ]: G7 |0 s+ u' b2 d8 u
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
; H: a! l8 G: v- p7 s* H) `- s+ [9 s9 M( b6 z2 p7 l! v1 J! \% E
burpsuite上传包并修改,repeater! y1 t% b" Q4 V
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp( P* d2 u1 H6 t3 n
2 V$ e' s3 I* h. S1 r. ?如图,webshell为:http://localhost/userfiles/file/asd(1).asp
1 W/ a4 |. g6 R
3 g, k/ s; |0 e2 W# f8 s( D5 a |
发表于 2012-12-10 10:18:50
收藏
支持
反对