exploiut-db:$ H8 Y. n1 q3 a H1 O
) I3 k4 H1 f2 ~, RFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
! h+ [( L/ l- e, r% d" h$ ]1 J' ~% m, ^! p- C0 I) a! r
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass% B; n0 O8 d3 y- U8 U: I) K7 V
- Credit goes to: Mostafa Azizi, Soroush Dalili% E7 M$ P- E, v4 j( ?
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
2 C7 E- B& l$ Y- Description:+ i; D" j, ]% P% S. g8 b! c* z
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is+ n2 s+ B& ^# M+ O$ Y X
dealing with the duplicate files. As a result, it is possible to bypass
# Y/ l' X# X4 n' G6 l. k, Sthe protection and upload a file with any extension.
5 x) {" t, w$ P ~- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/3 x( q" S! P. i" D( v( k' {( I
- Solution: Please check the provided reference or the vendor website.
7 X- N1 r4 [/ o( M7 n7 T4 I- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
; x3 t5 p& C5 B8 x% x"# K" N, U6 q. {. E& c' J
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:6 t$ F3 b! @& {6 ^9 Q. n5 T
In “config.asp”, wherever you have:
% \- @9 j* F" l I6 T ConfigAllowedExtensions.Add “File”,”Extensions Here”
2 \; y; b; e$ B$ {Change it to:
: y/ H: Q! N: q1 n& v8 B ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”, @% F7 U' T) m
+ t" ?- X3 F$ ~' g$ J ]. Z
/ ?; A# Z* W- f! _* f+ s+ I6 `8 w7 j! l4 ^6 z k
+ e2 j% |' a: c7 R ^* \ n& A& o2 R% u' I# ?- S$ u* A% M
php测试无效; d8 ^% j/ ^# g8 @
asp/aspx测试成功:7 I7 Y9 i- L( ]; ?
来到/FCKeditor/editor/filemanager/connectors/test.html
* y$ C7 B/ q# g因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
# i$ [; X3 X+ o | ?4 U+ @& e1 \$ P* ]7 \. |0 M
burpsuite上传包并修改,repeater( f9 E; {8 w9 m+ D3 \8 A; g
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
" M7 S$ E+ h* ]" t
3 B. t- n. W. P9 f. p8 P+ \9 U# r3 S如图,webshell为:http://localhost/userfiles/file/asd(1).asp
5 j! D9 s7 P5 a9 u$ ?
6 S8 z' \" w8 O/ ?" g |
发表于 2012-12-10 10:18:50
收藏
支持
反对