找回密码
 立即注册
查看: 2526|回复: 0
打印 上一主题 下一主题

最新FCKEditor ASP上传绕过漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-10 10:18:50 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
exploiut-db:
" E2 @  @& Z4 D7 x
: L6 o% }# H2 h3 U) n( b/ kFCKEditor ASP Version 2.6.8 File Upload Protection Bypass' U  w4 Y: I* D3 e# V' }- ^
/ u3 \5 K/ x/ d1 L
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
% z& X" |7 u9 C$ d# }0 m- Credit goes to: Mostafa Azizi, Soroush Dalili/ M4 A  d+ g5 n! n: {# _8 |
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/6 E3 `$ `1 C% a8 i- C8 `
- Description:
# F+ [7 o* X- L, IThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is' {( b2 Q4 U6 _" M7 Q9 M
dealing with the duplicate files. As a result, it is possible to bypass
% o9 [2 S, S- u, s0 j& W# Dthe protection and upload a file with any extension.
& I+ n9 o+ e  n- v- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
  Y( G9 k2 s0 g9 q5 }- Solution: Please check the provided reference or the vendor website.! p! p! U6 `( \( p6 a  ~/ B
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd7208 n& G  g: I5 `: U% L8 h% C8 s
"* w& b/ N! ^+ j: D# n$ L$ |
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:/ m8 e5 t, W2 }0 l
In “config.asp”, wherever you have:  Q. G$ h4 C0 W) ?) k8 b
      ConfigAllowedExtensions.Add    “File”,”Extensions Here”% c- L( i' J" y6 F
Change it to:  }" L' _$ E* ]; |& {1 I9 e
      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”7 k5 `- b. _: B2 a. Q0 {
1 Y/ l( `. X% ^0 ^, t9 V. ~

; v$ y9 U" R8 A0 O4 R7 [3 I! H( L6 f: o9 y; p; f- Q% V% ?7 E

5 V& J2 F0 ?# L! V; {+ m; X. f. g! ?$ K/ ^% d' Y# a
php测试无效0 a* X4 H+ v. \' h7 L
asp/aspx测试成功:& E5 J2 i6 P' I. C% e4 U& Z% W
来到/FCKeditor/editor/filemanager/connectors/test.html8 Q. h/ x; ?6 }% M; v- N
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
3 P/ V# x) K+ y6 |8 q& ^5 f0 {7 d. V  K* X. d+ ~/ \
burpsuite上传包并修改,repeater7 G( j& L$ m0 W5 g9 T  ]
名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp  U5 I( x% y! [9 _2 n$ V

- g" F! H/ Q, Y" f: R& b如图,webshell为:http://localhost/userfiles/file/asd(1).asp
" s# t: n9 c* O, p$ O7 @$ m# b; ~. x& Y3 _' m/ U! i; }
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表