exploiut-db:
' n; ~$ Q- p) N$ A5 y9 e
" T* K1 d" h2 K6 N* F; TFCKEditor ASP Version 2.6.8 File Upload Protection Bypass$ j7 }; t- I7 a' ]7 e
6 a) Z: A# S0 g& Q
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
! c' a# y# k0 q! Y2 E# f- u, |) c- Credit goes to: Mostafa Azizi, Soroush Dalili1 ~' T$ p! F7 S3 { @: w
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
8 a G- u% T& d/ [+ l4 N9 s' L- Description:+ C9 F$ J: q/ P4 [6 O. Z; U+ h- S
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
- B5 o' r2 W1 n( J2 E2 |$ F/ S/ Odealing with the duplicate files. As a result, it is possible to bypass
: G7 W# N; g7 V) `7 x1 G4 }the protection and upload a file with any extension.- [% F! S! Z8 |: g9 X( |$ }
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
l% ?/ U8 w/ u+ ^- Solution: Please check the provided reference or the vendor website.
0 Z. {( G) U. w& \- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
- d- E3 \7 K, I' `. K- n; ["
3 U# H% g l: K7 n7 u, z, k- VNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:( B9 D9 D2 e6 e! o3 I
In “config.asp”, wherever you have:
7 L. H6 j5 Q( F z% S ConfigAllowedExtensions.Add “File”,”Extensions Here”
% ?! P6 h- c. _Change it to:
7 s2 @5 F" P7 ]$ @6 T; ]( C7 t ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”. \, I" `3 s0 o: m& ]. _2 o
. `. P6 w% Z2 N W. s ; s% N, d- p/ h; w# ~- p
$ g4 L% Z4 W" `+ H# R: K , x/ Q9 R8 t0 P. q. L
5 X* T: c5 U$ R% `" {( _4 H8 s; ]
php测试无效8 \0 B3 n) @% N% A x
asp/aspx测试成功:2 i* b# q; M) d, y; m% w; b
来到/FCKeditor/editor/filemanager/connectors/test.html0 x6 b+ d ?. j- a9 f1 K# J0 F4 U
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt5 X+ i1 F9 ~. ^2 u* \
% O+ |. Q8 ^ ~$ X+ G1 G5 l% N/ fburpsuite上传包并修改,repeater' ^5 r$ k$ y( q3 N
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
% G/ w4 t3 b% d0 O" @
% ^' C7 S3 Q. ~9 _如图,webshell为:http://localhost/userfiles/file/asd(1).asp
2 g/ P7 f4 {9 o! C' B% w2 v* a% x/ h5 h5 y- [2 ]( Z/ z8 p# Q
|
发表于 2012-12-10 10:18:50
收藏
支持
反对