exploiut-db:
. g7 p, ^7 O- P) T' j
6 ~8 x, l. A% Y% u5 rFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
! ~; L- r- E$ ^( ^: [
2 M5 X/ e$ y7 s( b$ e- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass+ N9 t n4 M! z8 D
- Credit goes to: Mostafa Azizi, Soroush Dalili7 j+ ]/ m4 [( o/ T' X3 A% g
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/% J0 S; O) S, e$ m" N
- Description:( u1 K; S% J7 o' f2 n
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is1 z' G. j( {2 o6 X3 {/ p$ S
dealing with the duplicate files. As a result, it is possible to bypass
& R& {+ H& R% x1 G0 kthe protection and upload a file with any extension.
) i- v/ B9 ]% {3 Q4 h- G& N) S- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/( v- t; p# m* ~: n- P. A
- Solution: Please check the provided reference or the vendor website.
" X9 B: G# M8 t+ H( O% V- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720" W/ T V9 [9 C
", h) i5 @- S) V; L7 k
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
# _4 q* {! h: W* h& x. MIn “config.asp”, wherever you have:
2 A% E" V: r3 Y3 J) N" X ConfigAllowedExtensions.Add “File”,”Extensions Here”
( j5 m7 ]4 b0 qChange it to:6 E0 Q8 `* A/ N" Z: b& ^, |
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”' N/ x! Q, j, K5 Q7 [! G3 T
/ y) S! u; g* b; X) r: u" T
" {5 a( q& j- s* E9 |
6 w% c# ?& q6 [8 R( k4 } ( e! G( f+ R$ \7 G
, w7 { c9 n3 t/ h
php测试无效/ o9 v# u/ k5 l6 _' |
asp/aspx测试成功:
* U& @' j) ^* ? O来到/FCKeditor/editor/filemanager/connectors/test.html7 h, @5 F N+ r; L# A' M0 N
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt# ?. b: E+ g) Y& ^
& r; M& C) M! k }burpsuite上传包并修改,repeater1 p; X* t9 Y0 }) u. P+ @
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp4 ^" o% E9 v* ]1 Y! \( V
9 m$ x# V( ]6 G" _如图,webshell为:http://localhost/userfiles/file/asd(1).asp
7 ~1 ]5 O! y" x1 b- J- e: E: r- y, j8 ~. G5 E1 l
|
发表于 2012-12-10 10:18:50
收藏
支持
反对