exploiut-db:' t( s6 y- r. v3 n/ U& o1 E
, H9 O4 J, Y4 B& i7 y" G) A! z2 y! d! TFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
P N9 J" Z3 f
+ p' H. A6 _8 g+ _- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass" |7 I8 P) u& p
- Credit goes to: Mostafa Azizi, Soroush Dalili8 p1 @. U: C: b- `$ }) t" V7 h* N
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/: P- w! L- c" x, r
- Description:8 ], f7 I4 [/ v# K% ]4 M7 ^
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is8 l- q% h2 y8 f
dealing with the duplicate files. As a result, it is possible to bypass0 c2 K- w( W% |4 \) [0 g
the protection and upload a file with any extension.
! P* R3 J j0 H3 n3 w; t' c7 I: |- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/4 d4 D" N3 F" b2 v, D; {/ P' P* T
- Solution: Please check the provided reference or the vendor website.
+ O; f9 j! V# a0 |0 D2 c& t: f$ E) p- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720) Z! T, S( T2 S# X0 `
"6 P0 e- i! H I) V. H
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
4 m" `, B" Z: DIn “config.asp”, wherever you have:/ y1 m3 c- ? o+ b# N- P) _) u0 k
ConfigAllowedExtensions.Add “File”,”Extensions Here”
/ S b! d0 |: M" SChange it to:
{ T6 z+ f9 x% r+ m ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”0 S' r: q. B2 `$ Y8 V
2 T8 y: ]) B9 A7 L* s, J1 H
* A: o$ m$ y V. u2 V" S
; u* F8 W( o, f6 G
) _7 o# s. k( X8 s* B- g$ U- C
1 j, R& s( v# ?php测试无效
# u, x- K- ?) U oasp/aspx测试成功:3 l O' Y" I3 r8 g% r( b2 b
来到/FCKeditor/editor/filemanager/connectors/test.html
, G* C9 B+ l8 S- N- Z) g2 v因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt( l" j& {4 t9 H* H$ |9 u
X/ m0 z5 t+ l7 O5 R7 wburpsuite上传包并修改,repeater
f* r( M' m8 _6 a8 w名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
6 C. m4 R) [& D9 W. g( p/ F* U3 t) x$ y' t+ C* c3 p
如图,webshell为:http://localhost/userfiles/file/asd(1).asp' f+ g- q* C2 l+ m. d, U2 G
: B! }; N+ b! [ |
发表于 2012-12-10 10:18:50
收藏
支持
反对