最新FCKEditor ASP上传绕过漏洞

admin

exploiut-db：
7 ~# ?7 C+ X; `4 n. t, e3 X6 F) i
7 l. o. a* k+ ^  n2 h: MFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
0 Y5 N2 o" O* }* C. h0 t' S* f
/ k% |* p4 Z4 c1 n+ R& y3 `* W$ a( D- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
3 i, u; V. z8 c& ?9 N" i- Credit goes to: Mostafa Azizi, Soroush Dalili
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
) J. x+ A; o9 @- Description:
( I2 H% B% I! X" t% C, w! EThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
dealing with the duplicate files. As a result, it is possible to bypass
the protection and upload a file with any extension.
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
. ?  W& u6 Z% q+ e* Y- Solution: Please check the provided reference or the vendor website.
' [! [: q( H  `& T9 d7 Y* ^- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
$ m; E6 V4 R3 E0 S"
# o9 I: u7 u$ @, y1 C# a/ K- lNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
& ]1 ^- O& h7 B8 uIn “config.asp”, wherever you have:
: m  w7 O- ]; Y' X3 B$ k      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
, g5 R! k& x0 \8 V$ i' u- cChange it to:
      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”





php测试无效
asp/aspx测试成功：
8 X! h9 s( ~" _' E' Z- E来到/FCKeditor/editor/filemanager/connectors/test.html
5 \+ E) I3 m0 v+ `因为结合了之前二次上传的漏洞，所以先上传任意内容的文件：asd.asp.txt

burpsuite上传包并修改，repeater
9 k/ M' s9 |# Y6 C名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp
9 }5 t2 s9 X3 w1 g) Q' B$ |1 I
' {/ U' M& f6 z/ Q# l/ C2 p如图，webshell为：http://localhost/userfiles/file/asd(1).asp