exploiut-db:0 E/ ?$ {1 n. @' k
* d4 |7 t* F0 K3 ~( S% W3 ]& q
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
+ _8 q% e% l; p) o( A0 V7 U \- o1 ?/ W, _8 N
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
( @( P9 f9 {4 O: c- Y- Credit goes to: Mostafa Azizi, Soroush Dalili
4 l8 @1 G; p3 C9 M3 t9 N# R# s- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/9 J9 |) d: E2 v. l% [$ S) B
- Description:* W' V; a( W0 P! d7 ]
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is* y8 l, G- }7 _ z# `/ S" E) B* F
dealing with the duplicate files. As a result, it is possible to bypass) \, Z1 P4 ^% D+ T+ _( b
the protection and upload a file with any extension.
* v* f( \# [2 L, N6 Y- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/, ]2 H1 Y5 \5 @4 t8 T: v
- Solution: Please check the provided reference or the vendor website.% S0 Z. G6 z( N6 t: @0 {/ Z
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd7206 h. s& o$ ~9 v3 i! l" Z( p5 e; J( F
"
( f# \' S0 [% Z6 z/ Y: O$ mNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:9 C+ }) @+ \) y9 @* f" B
In “config.asp”, wherever you have:, w- z V1 F U
ConfigAllowedExtensions.Add “File”,”Extensions Here”
- @5 t/ C, }3 K1 ~, tChange it to:
8 z# S( t1 V1 y5 A' K* v ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
. H" _/ \, E' K) C6 t) e
4 h4 G! X. j( X" z( A 3 z/ d+ z" u) Y6 o7 |9 F
* V5 F- \5 b* ]8 o1 f; i
1 x& a v$ m6 G9 @% T; U
1 |+ _7 j" a' ?/ lphp测试无效* t: \! c- Z# P# F" x/ [' @
asp/aspx测试成功:" Y: @( t2 P7 H
来到/FCKeditor/editor/filemanager/connectors/test.html, W* t$ @) B' {3 e3 G1 }) r; x
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
# T5 q0 u$ h1 ]5 P) m' B5 k' V# r1 |/ k9 I: U) i% u9 @! G
burpsuite上传包并修改,repeater
2 y4 E% r/ ]5 J% }3 t; V' [7 y名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
! {% _* g. }1 z. B7 k0 r8 L
! Y8 ^( ^# u$ v6 m如图,webshell为:http://localhost/userfiles/file/asd(1).asp
6 z! C6 }0 m' i- ]8 S( m3 ]. [* z5 E7 F8 H
|
发表于 2012-12-10 10:18:50
收藏
支持
反对