exploiut-db:2 P* }7 P7 I' d3 P( D% e9 E2 x
9 c% ?8 ]; p! H+ w# g5 @2 |0 WFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
" v% Y$ s# ] R2 V3 M" H# _& l" F0 f5 y0 _/ Z
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
# ~' }1 d3 a- A/ r( M- Credit goes to: Mostafa Azizi, Soroush Dalili( c: }" u1 ?) l1 m; a
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/$ r1 R% J5 u0 o) C( X7 t
- Description:" w8 @# h+ j: t5 G; J, Q
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is1 `6 B% D2 X! y( K& i
dealing with the duplicate files. As a result, it is possible to bypass% u c; ? W j% ?( c; p' Z
the protection and upload a file with any extension.: Y n* v, P9 r8 F( J
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/# S8 t6 I% @- L! z
- Solution: Please check the provided reference or the vendor website.
( I; k% y0 Q* F* p% V9 i% V- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
! s8 L7 I& q1 |+ W1 h. J% }"9 y( J8 O2 C! T4 L& _, |. v5 P
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:; e8 s$ J& v: C" P! r5 |! x
In “config.asp”, wherever you have:% M. D% v: \. H% H2 M* i. ^; X; Y' Z) O
ConfigAllowedExtensions.Add “File”,”Extensions Here”9 ] e! X% V/ H9 R
Change it to:
9 L8 G9 q9 k1 o$ ^+ t$ C: U ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”/ Z4 H6 b3 }7 F0 @ [0 L- h; K
% Q- I" }" M2 {5 X, N
% t0 A4 l6 M- D$ t& H
$ \5 _# r8 w% r 0 g3 I0 M9 s# N$ h- M+ m
/ Q# v3 ]# D/ E+ pphp测试无效+ v3 j: S: i$ j& C5 v$ o( _1 [6 m
asp/aspx测试成功:
8 M6 a2 v) ^# e I( n m5 Q2 `/ ~来到/FCKeditor/editor/filemanager/connectors/test.html* W- s! [! v8 ^: |
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt1 {0 k7 j6 o5 i: H* W0 U
5 x& i F. }3 u6 k- E0 Eburpsuite上传包并修改,repeater
) z. `' k# ] p) Y0 M1 a名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
$ u' x% P$ D; c/ {. ^' p* _
; X" E" Z2 [9 ^7 f如图,webshell为:http://localhost/userfiles/file/asd(1).asp) W' W, T0 i S& J
) h8 S0 x6 L9 I5 N; }, D |
发表于 2012-12-10 10:18:50
收藏
支持
反对