exploiut-db:
( ]1 b5 M7 @' n1 k! c: V4 @9 H& ?7 e, n" a: P+ I+ p
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass+ s, c' _* ?* {2 R5 s9 t1 \5 b
, P' i( }' ^! P# q' A ~+ H- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
3 I k' R4 @9 C3 m1 [- Credit goes to: Mostafa Azizi, Soroush Dalili) G E/ [5 g# C3 n, G/ J4 B
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/' j- K* V7 v! }0 F0 C4 Q5 P
- Description:' r% O. m7 m2 Q' r8 L, Q3 z& `
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
( _$ t6 x# Q, W3 Odealing with the duplicate files. As a result, it is possible to bypass4 M4 _, r; Z/ | h. A1 W
the protection and upload a file with any extension.) j% O: U7 G- F5 q: Z
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
6 [. {/ a u7 \# z$ M- Solution: Please check the provided reference or the vendor website.7 j& B1 T! n) q( t8 G6 z3 ^1 r
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720 G' v$ L! z% \6 b: M
"
0 [, ~+ q0 C3 j1 B# ONote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
# B2 l% d+ w& |4 w2 JIn “config.asp”, wherever you have:
3 g' g" T6 B* ]. {9 f9 N ConfigAllowedExtensions.Add “File”,”Extensions Here”+ ^; F0 ?7 |8 _# Y& m" S) f# z* z0 o
Change it to:
" p2 Y" b- F9 S' ^9 E ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”/ n# S x: r5 O: g W. A7 Z0 M# s
/ t! o! y- x' V8 @ $ R" ~! @9 \) l7 T
5 }, b( C, ~, w& m1 {6 Q. }
2 m% C3 m8 B$ _6 C% n5 H( D* e0 m/ t3 z/ c c% {0 C6 Q( d2 `: K
php测试无效
1 I# N0 C; c# X/ Fasp/aspx测试成功:! r. p/ n* q! S x/ s8 S6 @
来到/FCKeditor/editor/filemanager/connectors/test.html
. @( }# b' j. b2 q因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
& |1 Q8 W. j7 d5 A# t0 S7 @. J$ S& {) J1 N! @" B9 K4 S; f
burpsuite上传包并修改,repeater
1 U; x6 e7 e% a: ? z8 i' g名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp! b) `- |4 p o8 `% T& U
3 X: X" @1 k5 d* @
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
0 V# d! D3 a/ J' h
7 ]. { j4 P0 G& M1 o |
发表于 2012-12-10 10:18:50
收藏
支持
反对