exploiut-db:8 z; `' i M7 o
! e# @7 N" f j4 t/ q) @4 L
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass$ }0 O8 t. Y/ A( n8 x
; q* S4 [ m8 |( P1 R7 x) a2 L
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
: m& P0 ]/ R8 N+ P0 D; I- Credit goes to: Mostafa Azizi, Soroush Dalili/ s- L2 U- B$ m7 c7 ~; o3 h/ p
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/; i1 V- W7 K0 B! Q) q1 @
- Description:3 x# j7 ?: ]: W; u
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
6 B4 \4 z/ d" i. X) b) @" idealing with the duplicate files. As a result, it is possible to bypass/ W c$ v8 }/ `7 g
the protection and upload a file with any extension.) j3 p8 o. F4 Y7 y
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/9 u& h. Y- f' a* @& o: ~
- Solution: Please check the provided reference or the vendor website.- [/ m/ Y( e; _! ]4 d8 V
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd7204 ~2 G% D! y1 t, D/ V
"5 f" T ]9 t0 ^4 u) @6 d) L3 \
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
# ^: `, @3 H& H* {9 v( z+ k: EIn “config.asp”, wherever you have:
; ~$ _+ N% k; a. p ConfigAllowedExtensions.Add “File”,”Extensions Here”* E- E F9 W n8 y
Change it to:6 F+ i O/ X9 O$ K% b
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”* N- Q- w+ R( d) ~0 n% {2 q! y$ e
5 J @8 z# o* V9 v" Z; U5 t
" H" Z9 F6 D& B& H' o, U9 ]. n( Y
& q2 _- p/ ]/ j: l3 u$ H, w% w
5 m6 L- \7 a O5 ?! m# C1 L7 e: _' i/ ^* I( \+ x: Y3 O
php测试无效+ S9 R$ o2 P5 Z+ Z7 U
asp/aspx测试成功:
" b5 W [$ n3 \; p来到/FCKeditor/editor/filemanager/connectors/test.html( s7 f4 c- ~0 N& p7 z
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt$ q8 Y8 i0 N/ q; t8 F. D
. X5 I! y) ~9 gburpsuite上传包并修改,repeater& V$ ?8 z- {6 F+ J, `, ]( e
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
+ K- c* b4 }5 s( }! [- [
" R. M0 q# P5 v( u" J( N* S如图,webshell为:http://localhost/userfiles/file/asd(1).asp, V* @( M, a- B# B
4 _! M3 F& p, X4 s, D$ J |