找回密码
 立即注册
查看: 2506|回复: 0
打印 上一主题 下一主题

最新FCKEditor ASP上传绕过漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-10 10:18:50 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
exploiut-db:
( O0 D" r+ o* @: y( ^) ^
& h2 ]! P& q% `FCKEditor ASP Version 2.6.8 File Upload Protection Bypass2 X. h# t# U3 D0 o  t. M' J

( K" a  e6 C1 Z. L  O" Z& \; N# {- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass4 x2 k3 w. o" T7 G
- Credit goes to: Mostafa Azizi, Soroush Dalili; }( \% u5 s# i( {- Q$ ]/ e
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/# S! A9 U2 t; `& _8 g4 K
- Description:. `( h- i9 v  T8 {* M! z  r% h5 t
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is2 G4 Z' J5 a8 N/ E- x2 g
dealing with the duplicate files. As a result, it is possible to bypass3 r; F/ g) G$ x# }  H7 W; O' N& q
the protection and upload a file with any extension.  Q; I  k) E9 s, U
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/0 ]+ L3 ^: X3 s2 e" o- T, C
- Solution: Please check the provided reference or the vendor website.! H+ O# e( w  Q# ]
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720: a8 N& M6 f  s6 G0 {3 c: F+ F
"
9 N: t! {, _' W7 pNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:) M$ X" v2 ]5 {+ W
In “config.asp”, wherever you have:
/ j+ i7 s& ?9 o3 W      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
6 I0 U/ k+ U3 t( B4 S7 EChange it to:
6 `! q1 [$ b' {; W- y5 B      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”" \! \0 x5 C9 y4 @2 h/ W
4 m* R8 f- l- Z+ @
/ K! X) m7 ~0 n! L+ w

$ z& s' S8 `" d' a3 w1 W2 ^
2 l- M& E/ h5 z1 x/ W- e0 D( M, ?9 k; D9 q
php测试无效8 N4 O- O  I8 o' ~
asp/aspx测试成功:
$ D5 |! d+ j0 ]! o来到/FCKeditor/editor/filemanager/connectors/test.html2 N' ~% k; b1 }5 B
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
3 u6 {  }9 h* f: I, f" A
: ^+ V1 h/ h% C- Iburpsuite上传包并修改,repeater
: H5 _1 a# a5 I& S1 Y  \2 R9 l8 ]& m8 _0 j名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp
4 A' N* ?3 E7 g) _, a% K8 g* u$ F
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
, o) K6 s( i, Z( [+ d* X) o/ K
. u; N0 g0 f/ j0 R7 U9 J
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表