exploiut-db:3 ^( S4 U9 A& K4 x6 a4 `# h
" X6 o1 p" ~/ F2 W+ _4 M$ ^7 C2 C
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
" z6 `( t1 g8 q) i& o/ D
8 l J* l$ j3 a/ `( v- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
9 S$ {2 L( s, B- `2 b- Credit goes to: Mostafa Azizi, Soroush Dalili
) M; t& W1 ` d7 _- D6 ^( d- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
4 b: A1 {. J% O8 _" B' |- Description:
1 b6 s# R; {1 f5 eThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is& b9 r% P. j( j
dealing with the duplicate files. As a result, it is possible to bypass2 v& w* E" X. _. l7 G+ X
the protection and upload a file with any extension./ ^6 g3 k/ F# A- n# ~( W
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
: g+ \6 C- }& a0 }: A# W- Solution: Please check the provided reference or the vendor website.
- j& B+ C4 v1 i8 O; w- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720' y0 H# p+ Q/ ^* G
"6 T3 d2 m2 E$ {3 Z
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
( c B" L1 t# G" N' y' \; C" L/ m7 EIn “config.asp”, wherever you have:
: t' p) z6 N5 `( p9 W3 F7 W ConfigAllowedExtensions.Add “File”,”Extensions Here”2 h6 F8 I5 O) E$ g- J5 |
Change it to:
! I# U, `7 U& i% @9 l8 D ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
' N- n7 y/ i4 ~0 q" M4 }
$ S2 k& d) j# y; f& b8 \ 7 C; K. Z3 y4 b: U: U* Y# |
% @; N/ ?* r4 B* S2 J
7 D' d2 @" j m: G6 ]5 V( \5 Q: _
' H- e7 K8 e* p, A5 rphp测试无效' [3 ~. O- k/ w- o/ l
asp/aspx测试成功:6 B8 h4 i4 m4 A& [4 t6 p# w
来到/FCKeditor/editor/filemanager/connectors/test.html
( v8 K# o" k. t' K- K+ ~因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt* `5 l& t7 ]# w+ ^
$ g& X4 {5 _+ ^0 O2 z3 xburpsuite上传包并修改,repeater
6 B9 W; B+ S% ? p) k3 u名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp8 a! M& w5 r8 `" h
7 i* }- I2 L9 s" m1 W; P: z6 t如图,webshell为:http://localhost/userfiles/file/asd(1).asp
9 J/ u# D. l( F( [1 I. ? O4 q
% w6 L. @- M! L8 Z ]; `; T# E |
发表于 2012-12-10 10:18:50
收藏
支持
反对