exploiut-db:! U: {9 R: |6 @& |3 b
) g3 m& v. B3 |$ JFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
, _" r) h( Y* L& x2 |
3 _4 [ ]0 ^6 z6 Z; e/ M- H- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
1 k6 i4 x" F+ A; z* `2 i# V- Credit goes to: Mostafa Azizi, Soroush Dalili2 x. T9 p4 u2 R& ]
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/- V7 A, |2 _+ W" }
- Description:3 R% ~6 E% I, V! I L
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is7 ~" h& Q, O0 ^
dealing with the duplicate files. As a result, it is possible to bypass' w2 f2 E& S5 T+ Q! P3 Z1 k7 s
the protection and upload a file with any extension.& U$ |- O# ]. C4 [, J# Y- l
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
, t3 W( p" i7 Z. ^! R! J3 l- Solution: Please check the provided reference or the vendor website.
* t, \3 ~) E; ]" X! n- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
8 \2 O) J' h' ]( W, N" _' t"
" {; R& R- }. }/ W" vNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:9 N5 s2 u5 F' W, l+ \
In “config.asp”, wherever you have:
: ^' h2 J* t. h2 q3 O ConfigAllowedExtensions.Add “File”,”Extensions Here”
" f# N: y' V9 kChange it to:
; ]/ \$ |# P: l+ r ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
* a6 ?3 C; b2 `8 k3 K3 A5 q2 S+ a
7 d8 w' A! d8 p5 U1 v
: s& k- c* p/ _4 f2 k , v, _4 e, k3 z
4 f: {$ u+ F- x# W
php测试无效
2 o7 x# g I' l. e$ Rasp/aspx测试成功:' f5 @2 J; n$ E. v; v
来到/FCKeditor/editor/filemanager/connectors/test.html! T) @! z, I0 b0 X u, [
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt, B$ `% l/ C5 O/ O$ T2 m$ @- v4 f; ~
+ X5 U ?+ W* Q8 x$ t) tburpsuite上传包并修改,repeater
/ ^; L: [4 c' n名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp7 B+ v3 i! o- |( m6 C4 W% I0 Y
3 l) u# E$ t' ~- L% o7 z
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
1 x H: a* M+ c; j8 @/ I7 B- X/ f! w) P
|
发表于 2012-12-10 10:18:50
收藏
支持
反对