exploiut-db:2 Y( I/ L" ]' J
! {3 [" f2 D, C: D" U2 D9 @FCKEditor ASP Version 2.6.8 File Upload Protection Bypass% q6 ?& p2 Y" G) M
2 R% d9 ]! [) n, ~( h5 u
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
3 G* p* P/ [- C0 b, z6 }- Credit goes to: Mostafa Azizi, Soroush Dalili2 O, e# J/ J6 y0 b- v5 k8 E
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
/ e6 {) |( T8 t- Description:
7 B x. b2 h4 ]0 RThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
X) w3 C* C' o& w+ R+ tdealing with the duplicate files. As a result, it is possible to bypass* w0 f7 g' L- P( J: p6 M
the protection and upload a file with any extension.
2 s: j, h6 _4 i# |- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/! M( `, x/ ^% D! O- a8 B% Y
- Solution: Please check the provided reference or the vendor website.
+ _/ z0 F% M, R0 r4 c; [9 }- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720) x3 g6 v& ?) [# U: T
"
5 T! D% O, b: o; wNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
5 K2 _+ \, e1 t; n* |In “config.asp”, wherever you have:2 H1 }% G% y& r
ConfigAllowedExtensions.Add “File”,”Extensions Here”
+ z9 f- @: I; }" G0 b' X WChange it to:) W! M7 M. _1 j, G' b) S& K
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”' v5 q, ^$ E( [/ a; C0 J
# o# d3 i7 J7 G( C
7 A' v4 F/ ?; ~: L, t; I6 Q
0 m3 u, V6 l- I8 I/ F+ K
2 K% e" J v& r2 V( ~- B
0 B7 k" _* w2 `php测试无效
- P1 k2 G; u0 C. T' \1 n$ y. k+ ~: rasp/aspx测试成功:. K# \; j1 \5 [! a" [& V( U
来到/FCKeditor/editor/filemanager/connectors/test.html
8 a+ `8 M9 j! w9 F d* k- e因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt1 g; G6 a! t. ]% T) p* \
6 g1 z5 {1 X+ M( s; wburpsuite上传包并修改,repeater
9 I# I8 l1 N0 o# d& D8 Y3 u名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
. }, l3 f0 J5 M! n, U3 _4 a `3 `9 S/ d. L4 t
如图,webshell为:http://localhost/userfiles/file/asd(1).asp ]8 l; s- K9 \# N" V2 o: j( Y
; c7 k; |! d! A" H2 |
|