exploiut-db:
2 z5 d# U! t3 b A0 f6 ]+ j8 D5 |) J1 q% P
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass5 t7 T8 z$ @- @" o# @7 y
6 h1 K/ ]6 B! ^$ u) R4 q/ ~
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass$ u T! r. h3 G1 z( W% z
- Credit goes to: Mostafa Azizi, Soroush Dalili: p9 g0 Y! E; _7 O4 i3 x! u
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/& F" ^' I" y. K6 `
- Description:* y& ?8 i$ g* y3 u# P& C
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is7 b6 m, p+ E. O7 Q1 L, }9 H
dealing with the duplicate files. As a result, it is possible to bypass5 w) |5 B% H% R* G$ A4 G
the protection and upload a file with any extension.& Z0 h2 i6 p; Y$ C* s
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
3 J( g9 ]" ]( u9 P- Solution: Please check the provided reference or the vendor website.
( K( U4 J! R1 W l) z- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720$ M3 w- l' r9 K
"8 f0 ?4 F! \4 D, |, r
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
+ d4 I Z1 R* x, |. T7 ]In “config.asp”, wherever you have:
" ?/ }! {- ]" V; [0 t7 K. t ConfigAllowedExtensions.Add “File”,”Extensions Here”. y0 T" ?8 n0 X" q; H4 A Q
Change it to:
# H/ n' w" g# V ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”" D+ K% a( G/ f; Y& Y$ p! A* B8 \
5 ?/ @) R" z) P
* p7 i8 ~7 K! k7 w% D V2 e0 }0 N4 O; f0 ^: K+ v
, z, S" D Z" W5 m9 w+ d
- s" V$ q6 t A/ e$ ?, E$ C
php测试无效
$ f7 s E7 }: L1 Kasp/aspx测试成功:
3 O3 ]9 ?4 u2 c) j3 W来到/FCKeditor/editor/filemanager/connectors/test.html
8 y+ q l7 o1 d# [) n6 _6 @' i' H因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
" C$ F5 n" _3 b, A' O& I# H& @6 y+ g* ~6 d- G, K+ x! c; [8 J U" f
burpsuite上传包并修改,repeater" I1 T: g5 ~& h5 i2 z3 w
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp+ g" I2 Y, E G$ @9 U
8 g2 \( ]+ G$ w# m7 V: t如图,webshell为:http://localhost/userfiles/file/asd(1).asp8 i' B& Q% T( z4 t/ x4 R
+ E) p( _8 W# r. Q: N
|
发表于 2012-12-10 10:18:50
收藏
支持
反对