exploiut-db:8 \. m9 M; x u; Z. W1 K
7 b' d6 N% } G, m' J9 Q
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
& U9 N5 U6 W. R& K9 V6 J1 E/ U. v4 ^1 ~$ D* ^ f
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
) y F8 D3 x0 {7 u; j- Credit goes to: Mostafa Azizi, Soroush Dalili
' l: {' @% D, }6 n) w9 h* H- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
; d8 A l N: o; Y- Description:
! h9 o# r8 T r5 {. j; U6 ^There is no validation on the extensions when FCKEditor 2.6.8 ASP version is9 T' Z- N% p$ y' z8 i# L
dealing with the duplicate files. As a result, it is possible to bypass
' Y: c- ^3 b, x+ |) Ethe protection and upload a file with any extension.8 R, L" A( b+ s" Y" B
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/8 |9 D2 l) u# p9 A8 ]
- Solution: Please check the provided reference or the vendor website.3 T* O9 d) s" ^$ x
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
6 |: O' _+ Z7 a( R( _0 E8 H"
% |) r! q) i3 C# l) p8 w, |Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:' s1 x5 K6 S: t' F$ q
In “config.asp”, wherever you have: z7 _% w# ^ O7 y
ConfigAllowedExtensions.Add “File”,”Extensions Here”
) m# A5 J% [2 J, zChange it to:
* U" `, L6 ~4 ~1 C ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”1 s$ r0 M% x, i. b& m
1 s: b+ @3 B2 V# @ $ H# w# n( Y# q0 G
3 g/ K- a9 F5 I; j
& I* O$ m' e; o9 }% g9 [0 s
' E) B$ v. ?6 g
php测试无效7 F5 Z1 F. T6 X2 u/ {
asp/aspx测试成功:
# o; l* Q5 l% R0 A# h来到/FCKeditor/editor/filemanager/connectors/test.html
# q" ~- r! J' U; o3 i& R& f* f因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt' t$ L/ }! v' X5 a2 ?' A
0 [0 I! r+ H$ pburpsuite上传包并修改,repeater) N9 B$ z0 ?3 R: C" W0 N1 D. ?. r( z
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp0 v" ^2 K) T; m% i) b4 C
; P* ^) t N7 t; T- P
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
; D3 j8 N9 Q& _+ s) N) B
+ k4 r9 a: |9 a" O5 R) C6 U |
发表于 2012-12-10 10:18:50
收藏
支持
反对