exploiut-db:
9 I6 R8 D5 `1 Z; n M* f0 H3 `/ g
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
9 I, j1 p0 F3 P- P; x3 o" P
: ^: d8 n8 X- I- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
# m. ]: S0 L1 N6 P1 U, Q/ k- Credit goes to: Mostafa Azizi, Soroush Dalili, v" V- G& Y' q) N1 Z' m
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
8 g$ U, B& h8 O# y- Description:4 `0 I( D$ `4 ~$ _$ A
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is& Z8 c, i% k' _# m
dealing with the duplicate files. As a result, it is possible to bypass
" e6 y! V& ?& ~9 S6 A& N9 vthe protection and upload a file with any extension.
; t5 R: n$ S M8 F- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/( t0 u) H" K$ d( A
- Solution: Please check the provided reference or the vendor website.
) E1 _. x' c( A- ^8 e- H& b# S- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd7202 D. S2 [2 @1 |+ M0 B* U) k! h
"- P% Q) b, q$ f9 h
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:, R* V# E- m+ g! D
In “config.asp”, wherever you have:
. G z" Z9 D% d# [4 ^% B/ F1 [ ConfigAllowedExtensions.Add “File”,”Extensions Here”0 y' n! ~; \ \( U# W9 N
Change it to:" h( x: |9 U Y! i( A/ \' h
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”; [* _6 I- `- m" C* L! b4 s: e
) ^- m7 Y+ O9 N& M) N0 G0 t1 `/ s
. E7 D2 p9 ~' C/ l" A( m3 q
7 O/ q( W: q5 O
4 ^5 w* y7 \. l( u
) }/ c8 T4 j( d( j q* U4 H! L6 |php测试无效
6 _. {* P% M' `3 qasp/aspx测试成功:
' l" Y. H" p$ l. M来到/FCKeditor/editor/filemanager/connectors/test.html9 D# L6 q/ e6 O) h
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt+ T8 B! k9 W4 P$ z
6 Z* `: z# S5 V6 zburpsuite上传包并修改,repeater
; s- N$ \3 {; E4 x5 x2 K名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp+ a5 E" X9 ]$ A2 ~% l
3 ]2 a* o* p" L0 Z如图,webshell为:http://localhost/userfiles/file/asd(1).asp3 v5 y9 J7 s: g
! B l1 `6 G! M' L% P7 R: ], f
|