中国网络渗透测试联盟

标题: 最新FCKEditor ASP上传绕过漏洞 [打印本页]

---

作者: admin    时间: 2012-12-10 10:18
标题: 最新FCKEditor ASP上传绕过漏洞
exploiut-db：
4 S. h( H& p- i+ z6 I% j
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass

- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
9 \6 F( o0 \1 |; Z2 ?+ S: Q5 r- Credit goes to: Mostafa Azizi, Soroush Dalili
7 T; v; G9 G6 {2 d" a- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
- Description:
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
  w' M3 O% `  f$ e- u: ndealing with the duplicate files. As a result, it is possible to bypass
0 @" B/ _. D; \7 jthe protection and upload a file with any extension.
% k6 P6 K2 O* g, q- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
- Solution: Please check the provided reference or the vendor website.
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
"
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
1 h8 m2 I1 d+ q& N( Z6 ^In “config.asp”, wherever you have:
8 }/ `4 i5 x6 ]) c+ {      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
, j$ d- D5 z% [7 s0 T& b% H2 ]Change it to:
6 }/ w0 {; |' q      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”
5 J& ?! s* a, I  C

0 v  Y" E) n' P, o
9 b1 \  S5 l3 p- [

php测试无效
/ ~/ Z) U& ~/ F( W1 iasp/aspx测试成功：
来到/FCKeditor/editor/filemanager/connectors/test.html
因为结合了之前二次上传的漏洞，所以先上传任意内容的文件：asd.asp.txt
2 X4 H' e8 A4 C' p
burpsuite上传包并修改，repeater
# t4 I' L8 ?' s名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp

  c$ l- k* ?. V( v. A/ ^如图，webshell为：http://localhost/userfiles/file/asd(1).asp
# w/ w  `4 E( A+ o  m0 ^; D6 D: g

---

欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)

Powered by Discuz! X3.2