exploiut-db:
5 t+ D2 H' x* k. \ N# a! h" T" c" n: r a$ o; t
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass4 N9 u' D/ w' P' O$ ]7 Y4 `- l0 b! z
0 D: n+ _+ L* c) Z
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass+ u2 K0 Q2 ^# h! O4 ?) J1 B2 t$ P4 S+ `
- Credit goes to: Mostafa Azizi, Soroush Dalili
* e7 f' {& y I, w/ V- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/3 B* U; `* j/ K5 c
- Description:# y: Z" @3 n/ [4 C6 A+ j$ v ~
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
5 ^* [7 v3 Q* w% m$ ~. Tdealing with the duplicate files. As a result, it is possible to bypass
6 r9 t3 b% t2 {the protection and upload a file with any extension.1 v3 o3 g# ]+ ~& n
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
3 s+ x& c! {. Z8 c. F& Z- Solution: Please check the provided reference or the vendor website.7 Y$ k7 q3 L8 }8 n1 }$ v
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720! Y& j$ u6 G* }- z( B0 P7 K9 j
"+ C8 w0 M+ Y8 b6 @& c& X. ~
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
6 k( T" B7 F# d* K' wIn “config.asp”, wherever you have:) @8 l# D! I6 o
ConfigAllowedExtensions.Add “File”,”Extensions Here”
6 i3 L6 D' q5 i: p5 e* wChange it to:
: _8 L. G8 P- x- O9 q3 l1 G ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”0 L. x, _9 h, k, |. x
7 C- i' `3 G) p5 |/ i7 K, B
! a: o$ y1 x: d" A' q, K) i3 l) j3 z$ N# s- s8 T
" O8 H0 L+ J5 \# d- K8 c9 k
1 u( Z3 U" }+ }! R) m; S+ Lphp测试无效+ d, n4 n( Y. J1 o2 ]8 d0 X9 M7 }
asp/aspx测试成功:
3 g0 i4 S. K# N0 b. h) n来到/FCKeditor/editor/filemanager/connectors/test.html
( e7 M: d: ~: P) f因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
2 f; z. x/ o( f7 p7 ?
: _, ]- _0 q4 h n( b6 xburpsuite上传包并修改,repeater s# [( F4 o3 w
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp; S) ^+ h. M2 {* X+ v O
; O4 `6 V- ]- v& Q0 V如图,webshell为:http://localhost/userfiles/file/asd(1).asp, O+ o: Q2 B3 V6 D" }6 S/ C# e
( I/ ^7 h* T0 x |
发表于 2012-12-10 10:18:50
收藏
支持
反对