exploiut-db:
2 J2 v c! ]- Q
" Y8 k$ Y7 O6 W2 O/ z* x% cFCKEditor ASP Version 2.6.8 File Upload Protection Bypass2 t% h2 T* o5 f! m( a
5 q! E' n4 V- v: t- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
# b* d% x. k: i) ~8 M4 b6 Q- Credit goes to: Mostafa Azizi, Soroush Dalili
' p/ u" G8 k+ m# y- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
# g6 y8 [6 s/ u; `- Description:6 T1 M0 a) L/ v: c. t* j
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
4 y* k. O* G& I" f* R% Udealing with the duplicate files. As a result, it is possible to bypass& w( y8 ^% F# s( n. u" z
the protection and upload a file with any extension.
! ?4 r) d" B5 a f K- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/3 f( E' K/ X9 r- k" x7 |9 F
- Solution: Please check the provided reference or the vendor website.7 n7 O5 e5 A# W4 @! U
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd7209 w/ g9 ]8 { L1 ^" i8 Q
"+ @8 y2 ]& c2 w
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
+ h8 X$ ^( S) q: Z. y/ pIn “config.asp”, wherever you have:
+ |+ Z# L- ?5 ]# M6 Y: z; n ConfigAllowedExtensions.Add “File”,”Extensions Here”
2 a" c8 Y$ F3 g5 F' Q. TChange it to:0 `1 a, ^2 K$ E! ]- U" C: v) j
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”3 d& t: p: ^! ~2 L% @( u/ S& a7 i& i
* k7 \( |1 C2 h/ s & c! e, }: U9 i! k8 N$ k
0 K0 v: Y! s% W6 ~- t; q6 U% z
, x P$ V5 I% c# k# I7 Z
+ A$ {3 I% ~$ q; u) f' H
php测试无效+ m: Q0 g' \+ F0 I2 F( Z9 O
asp/aspx测试成功:/ c. D; d# p( V: w2 r
来到/FCKeditor/editor/filemanager/connectors/test.html
6 i, n# N; @8 ?! T/ P6 I8 x3 f因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt N+ u9 l7 B4 c4 N6 p6 c
& X* `/ S+ i( u: s* C p+ R- ^, sburpsuite上传包并修改,repeater' E0 l! v2 m3 r7 B' Q
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp( H7 P' d, S. ]- E: l
4 k% ~( r2 w7 G9 t, }$ g3 x. f如图,webshell为:http://localhost/userfiles/file/asd(1).asp
; G% p: C) v6 N6 k) s. b( a& Q& j% V* w: m
|
发表于 2012-12-10 10:18:50
收藏
支持
反对