exploiut-db:( J* v* b" ~9 {) e
# Y; ?7 u& K5 g4 t! BFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
: z( u# i6 U# n3 l% A0 l
6 R# a B( E7 M7 s6 v( a4 M; |7 [/ c- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
( x g0 m% t2 @" d6 J7 r+ y) G- Credit goes to: Mostafa Azizi, Soroush Dalili
5 f4 b) U! H$ ]2 e0 e" m0 p N% N- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/" Y/ Y1 c# E2 i. n9 A( s
- Description:3 J: I$ G3 l9 Q& R8 }! Z: R
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is( S$ g* {/ b; ^
dealing with the duplicate files. As a result, it is possible to bypass# i/ k ^, Q: _2 C( o
the protection and upload a file with any extension.
' Q5 T( F, ~1 R N: D1 P* t- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/0 ?; l& G. G5 i( ` {
- Solution: Please check the provided reference or the vendor website.+ m$ P' s0 k* Z4 U5 o9 d" m
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720+ P3 C! z1 b+ }
"
& {$ J y5 j1 _# K( a6 QNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:8 y5 b6 g& I- o, L: F' K6 u: O
In “config.asp”, wherever you have:6 F" z$ W* S6 S& S; X. N+ |
ConfigAllowedExtensions.Add “File”,”Extensions Here”
2 _# O, q* {: aChange it to:5 |0 c- y( x3 ?. y) H
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
( ]4 [( ]- H: o2 F' L" x; z9 Y
" R/ i. }; R8 c4 n
( k" Q$ A& A& C, p2 m3 h3 B
, v0 f+ m. `+ s2 e9 Z6 J W6 u# u; |1 Z5 x5 f
: L; J3 ?! s$ H5 Z4 D. p y" A# G
php测试无效) e% y1 l. D3 d, Z7 L- ]* H$ z
asp/aspx测试成功:2 c+ `6 n0 r. k6 u' U1 S' j
来到/FCKeditor/editor/filemanager/connectors/test.html
4 N/ d, x/ o2 F }+ D( d因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt/ {3 k2 F: f) x( I1 S6 O9 }
% F/ G5 V( k: o- M Y9 ^burpsuite上传包并修改,repeater
: f e3 l# h% o8 q! a! z: r名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp* f" D( \( x6 q# I$ U3 q$ j
9 t* g+ ]- Z D如图,webshell为:http://localhost/userfiles/file/asd(1).asp
$ h0 t$ _9 z* i3 S9 W3 Y- b3 d0 D
/ ]4 E: B% H: E1 }0 ^ |