exploiut-db:
" E2 @ @& Z4 D7 x
: L6 o% }# H2 h3 U) n( b/ kFCKEditor ASP Version 2.6.8 File Upload Protection Bypass' U w4 Y: I* D3 e# V' }- ^
/ u3 \5 K/ x/ d1 L
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
% z& X" |7 u9 C$ d# }0 m- Credit goes to: Mostafa Azizi, Soroush Dalili/ M4 A d+ g5 n! n: {# _8 |
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/6 E3 `$ `1 C% a8 i- C8 `
- Description:
# F+ [7 o* X- L, IThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is' {( b2 Q4 U6 _" M7 Q9 M
dealing with the duplicate files. As a result, it is possible to bypass
% o9 [2 S, S- u, s0 j& W# Dthe protection and upload a file with any extension.
& I+ n9 o+ e n- v- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
Y( G9 k2 s0 g9 q5 }- Solution: Please check the provided reference or the vendor website.! p! p! U6 `( \( p6 a ~/ B
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd7208 n& G g: I5 `: U% L8 h% C8 s
"* w& b/ N! ^+ j: D# n$ L$ |
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:/ m8 e5 t, W2 }0 l
In “config.asp”, wherever you have: Q. G$ h4 C0 W) ?) k8 b
ConfigAllowedExtensions.Add “File”,”Extensions Here”% c- L( i' J" y6 F
Change it to: }" L' _$ E* ]; |& {1 I9 e
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”7 k5 `- b. _: B2 a. Q0 {
1 Y/ l( `. X% ^0 ^, t9 V. ~
; v$ y9 U" R8 A0 O4 R7 [3 I! H( L6 f: o9 y; p; f- Q% V% ?7 E
5 V& J2 F0 ?# L! V; {+ m; X. f. g! ?$ K/ ^% d' Y# a
php测试无效0 a* X4 H+ v. \' h7 L
asp/aspx测试成功:& E5 J2 i6 P' I. C% e4 U& Z% W
来到/FCKeditor/editor/filemanager/connectors/test.html8 Q. h/ x; ?6 }% M; v- N
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
3 P/ V# x) K+ y6 |8 q& ^5 f0 {7 d. V K* X. d+ ~/ \
burpsuite上传包并修改,repeater7 G( j& L$ m0 W5 g9 T ]
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp U5 I( x% y! [9 _2 n$ V
- g" F! H/ Q, Y" f: R& b如图,webshell为:http://localhost/userfiles/file/asd(1).asp
" s# t: n9 c* O, p$ O7 @$ m# b; ~. x& Y3 _' m/ U! i; }
|