exploiut-db:
' L* x5 w2 N: g& G# L. _& B" N5 Z4 f' f) ^* R1 z
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass/ q0 _) R% B! z
* M! N) m: A6 D8 ]2 ?$ \8 r
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
1 H# S6 t, a, f5 x5 B' g3 c @- Credit goes to: Mostafa Azizi, Soroush Dalili
: J# b* w1 P2 }6 f) L- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
0 E( f( X2 Z8 Q5 e3 C% A- Description:& U$ i r3 d3 f! J
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is. V, l7 g- p( R1 n5 m1 [" z. A
dealing with the duplicate files. As a result, it is possible to bypass5 U' v9 g9 p" }7 o; S1 X3 c* M
the protection and upload a file with any extension.9 z* ^: Z w& |" }/ H3 X1 H
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/+ F' M7 F T) V1 w% [
- Solution: Please check the provided reference or the vendor website.1 g: C$ L9 u6 k$ P; B; a
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
7 p* w% e0 k4 Y3 q3 P @"
% E5 d$ ^! I# D) O7 NNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
8 Q& w" U I0 {5 XIn “config.asp”, wherever you have:
. {6 M- W J( E- Z# [ ConfigAllowedExtensions.Add “File”,”Extensions Here”
9 E9 \/ U2 X& F, TChange it to:
" A( L7 ^& W4 l/ s' o; O ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
( i z6 k/ A4 I! j" ~* S+ I2 ]; G' @& e v% r; ~: {
3 d' y& E0 |" l6 E! w& _
V p3 y: l0 G( F$ |5 A- s
1 v% ]. w. ?8 {% j+ f4 s7 F7 N# W5 Z( ~: [& B$ k
php测试无效# f% O% ~1 [9 a: ]
asp/aspx测试成功:
: g3 j' x8 h1 s0 [来到/FCKeditor/editor/filemanager/connectors/test.html
. \, x9 q7 M/ o! J1 f因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
9 {7 _$ } i7 G# N; K* q3 x6 v( E) c! G* t
burpsuite上传包并修改,repeater& x: ?0 b4 u+ P0 r
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
U& y7 \1 B: z. [$ d: }& K
% @: C2 K* ~, J v7 W2 \如图,webshell为:http://localhost/userfiles/file/asd(1).asp5 e- t6 J" n% Q6 G4 O% _6 X
* F0 Z6 M+ O# q+ j$ ~9 t4 {& l
|