exploiut-db:
- d0 k) G6 Q$ C' S+ O% O# D
$ u' r6 |2 `6 s% H0 b5 t' o% CFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
, H& k- c F" }; i$ A5 c% c4 W1 U7 e- b
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass" K* m8 K0 G7 |7 G4 p
- Credit goes to: Mostafa Azizi, Soroush Dalili
" X- K4 q2 U5 Q) O b5 K- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/$ K0 y# _# l# ~
- Description:1 ~. d5 R" v! l. |7 M
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
$ e) T3 g& L m2 O1 _dealing with the duplicate files. As a result, it is possible to bypass
8 }: S! R$ n$ e5 N; Q' w, r; b1 Ethe protection and upload a file with any extension./ R& L4 j. B _" @
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
% `+ ]! C6 U; x; A! a- Solution: Please check the provided reference or the vendor website.4 P$ T. ?, L2 G L& A" S
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
( A2 z. @' c h& w3 Z5 _, `"0 O: {. ]9 Z' z4 z K2 g5 T g
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:1 o [' N. L5 d1 }, U; {" J8 l, @
In “config.asp”, wherever you have:
& v$ q3 s. s' Q* _ ConfigAllowedExtensions.Add “File”,”Extensions Here”
5 B4 Z5 Z9 C/ R: Y: n1 `Change it to:
- s( z' l6 U# X, l; j* R9 x8 g5 W ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”" K7 T4 W3 `0 B2 n. r: {
5 e& i; f$ P/ ^- p0 Z4 v 7 D7 f7 s, v# ]" F+ M/ [
; G6 z" O/ |8 e4 _ L
2 r+ I8 Z" v- y9 b% N6 H4 z
/ \0 e( |: W& z( Kphp测试无效
! h! Q8 i- E ?) }! z Nasp/aspx测试成功:
0 s& S) b9 ?* l来到/FCKeditor/editor/filemanager/connectors/test.html- U' t( L9 C( j/ m
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt) _% l, f6 K& n7 r, O* u/ _* y
) D* j2 M% X6 I5 N8 X+ G: F
burpsuite上传包并修改,repeater
d/ L8 l" F/ `2 B, H$ I名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
1 P$ i# u8 s1 `& k. @. ]: g1 v
/ x2 E3 Z# {, U% }如图,webshell为:http://localhost/userfiles/file/asd(1).asp
/ R9 J. [3 X U* `+ }, v) I. \
0 M4 y) j% F- H |