exploiut-db:
6 a1 ^- d! |! c' G
5 ]; f! r0 d' r, J: k" S+ a7 _FCKEditor ASP Version 2.6.8 File Upload Protection Bypass2 j' J5 I5 Y4 B- a3 R
$ k/ p* c( F( A& V+ S7 \
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
* h3 c/ L/ d3 x7 x. u. S- Credit goes to: Mostafa Azizi, Soroush Dalili
, d) T; Q& N! F8 g- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
! A! K/ c! |% e$ v- Description:6 B9 C! ?. f& }" l u! H4 k
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is3 F& w6 f7 O& E. ~" F0 T4 Q
dealing with the duplicate files. As a result, it is possible to bypass/ `( y, k1 Q7 O1 i
the protection and upload a file with any extension.
3 C7 I" `. i! l: K- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/! j9 t, x3 n( C3 `/ u7 e
- Solution: Please check the provided reference or the vendor website.
$ N. _ H: ?( S$ v0 E" u1 C- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
1 m# n! I; a1 q2 v"
9 e" J: [# M& m" z/ y& i% lNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
) K; {/ p- c' B: V' L& P9 QIn “config.asp”, wherever you have:
. }9 X {% L+ H R ConfigAllowedExtensions.Add “File”,”Extensions Here”. C: y# ?3 }% v- w5 S& d
Change it to:* m4 O" |0 k) F: D: E
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
8 C( a% P9 k: q$ Y# M& b, r' j1 K, y- t* k4 w
5 [" n2 Q( w; h* O, n9 z$ c' H; e5 e4 R# T; D& \3 `
/ a/ L1 v( b$ Z8 m* g7 U: E# R
9 N- @1 w# @ n; kphp测试无效
( ^. x: Q& X M1 B" \+ v8 Q/ w: _: o3 rasp/aspx测试成功:
; a6 Z* i' U- `: Z& R& W来到/FCKeditor/editor/filemanager/connectors/test.html
9 g Z" J9 k, Z! ]( g N因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
1 \: d7 N1 G" f! `
- G% a+ @% w- f' u# q: ^burpsuite上传包并修改,repeater! ?# Q; R5 E5 g
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
6 l. r5 K! q* l' F( m, B" ^' g
) {6 B( T4 e9 h/ `. y如图,webshell为:http://localhost/userfiles/file/asd(1).asp# [) B* {$ v# S
- [$ l: S8 L1 S y! c* t. \; M |