exploiut-db:
; \$ V2 J$ ^$ O2 G, }: y2 s
5 L2 i1 H4 o/ G T& QFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
R, p4 {7 w- `, r1 K( Y+ m2 |) E# `. i5 ~
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass- g. }% K- n0 f4 _ r; i
- Credit goes to: Mostafa Azizi, Soroush Dalili
2 o" t8 G0 Z) a" U1 e- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
7 H$ a q- f3 u% Z+ ^0 Q6 ]. X- Description: L1 P& ]8 P( L$ K8 @7 N+ w
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
: z( y `. p i7 o+ {dealing with the duplicate files. As a result, it is possible to bypass
2 ]. {) o8 M! s+ j0 othe protection and upload a file with any extension.9 F2 H, Q# @$ V1 j
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
" G9 K1 n$ k3 x; `- Solution: Please check the provided reference or the vendor website.
( E2 I# x& A: t; U) m5 L- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd7200 U. e% B* B2 e! `7 b' G+ F
"
0 U! l2 B9 }1 |1 k# O* XNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
0 J1 q7 H0 m% X4 |0 fIn “config.asp”, wherever you have:' [* k$ O- B9 h9 T" T* b
ConfigAllowedExtensions.Add “File”,”Extensions Here”
" ]) X8 \/ B5 L7 ]7 mChange it to:) ^4 Q: a" K; y8 o: T
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”' i5 C0 `. y @3 U. U/ Z& h
6 G/ p" ^- b9 o o
+ g: Q/ B% b: D" v5 |' E
8 b- L9 L4 A3 T9 e* i / m; ^& ~8 I, }3 C8 _
6 {' e$ r% s$ Gphp测试无效9 z5 e6 N7 z2 C+ n
asp/aspx测试成功:" }' E& ]0 O( z5 ~
来到/FCKeditor/editor/filemanager/connectors/test.html
2 H( m4 E. x7 @# A因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt( Y0 L) M' C6 D6 n
$ H1 O. e* ?9 J% `) Z( u
burpsuite上传包并修改,repeater
, W. m3 l% K3 m# @! i名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp5 k1 X5 X* U, A) B1 ~4 L% F+ ^3 w
2 D' N- l' r: ^. a1 \7 J如图,webshell为:http://localhost/userfiles/file/asd(1).asp
! E5 a( S7 q' U& O- \+ z7 ~
' f3 D4 b9 O* H' | |
发表于 2012-12-10 10:18:50
收藏
支持
反对