exploiut-db:
& C( J4 I8 B! v3 [: V6 n. Z# } a4 M5 }8 |- @- E# V; _
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
" Z6 `% b' S' R( m9 N) F5 i
6 |% }/ {* `9 X: k1 u- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
& k. o# \2 P+ C- Credit goes to: Mostafa Azizi, Soroush Dalili6 h; e' ^) i, x4 \( k
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
" O+ k k4 E' D4 K+ b- Description:
& b7 R3 j; S; iThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
6 _4 R- A3 i4 D# @7 D0 u; Odealing with the duplicate files. As a result, it is possible to bypass! @" ]1 v' y' c4 V$ _
the protection and upload a file with any extension.
2 K$ i! @! l* a$ g9 ?; p# v: ]% [9 |- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/ q) {$ n4 Y9 w0 F
- Solution: Please check the provided reference or the vendor website.
1 p! H E6 a4 d7 n* ]& Q) I8 g/ r- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
6 P, G8 P6 U8 f! J, I% m"
' p# Z3 ?" f% R; |8 q, LNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
7 G$ C! ?9 j: ~/ s7 u9 wIn “config.asp”, wherever you have:
8 W/ i7 ^, m5 J9 O* t/ S S8 i1 g8 h ConfigAllowedExtensions.Add “File”,”Extensions Here”
, M# G- P! v+ k# fChange it to:
( ]# ^1 y4 H/ I4 \* V ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
6 f7 R- w2 o2 O' \) {8 N7 a, y' D& i: x
1 M& T v) w V) q2 @: W
9 J/ g0 _& M3 f/ F, C4 S9 V) H& ]
3 T: m$ u ~- c- K% k4 ?
! K/ r% a2 t- K) I3 ^+ P
php测试无效/ j! q+ J( G8 b/ v6 ~3 [
asp/aspx测试成功:( ^* K' l1 C1 i5 f% |* M6 p3 G9 U
来到/FCKeditor/editor/filemanager/connectors/test.html
& M1 W7 _' N/ R; w0 y% {; u因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt# l" g, Z2 h4 ~+ g9 N
6 v& y( c' @; ~ D3 I: Wburpsuite上传包并修改,repeater
' `5 U5 J* j' T9 u名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
% y6 S! ?7 i: M0 M) M" S( z% P. Y0 b7 p) p' P" T a) B
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
8 e9 C) N2 w8 N1 P
0 O8 W2 p9 g: V, I; i9 j: g/ y |
发表于 2012-12-10 10:18:50
收藏
分享
支持
反对