exploiut-db:
( O0 D" r+ o* @: y( ^) ^
& h2 ]! P& q% `FCKEditor ASP Version 2.6.8 File Upload Protection Bypass2 X. h# t# U3 D0 o t. M' J
( K" a e6 C1 Z. L O" Z& \; N# {- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass4 x2 k3 w. o" T7 G
- Credit goes to: Mostafa Azizi, Soroush Dalili; }( \% u5 s# i( {- Q$ ]/ e
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/# S! A9 U2 t; `& _8 g4 K
- Description:. `( h- i9 v T8 {* M! z r% h5 t
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is2 G4 Z' J5 a8 N/ E- x2 g
dealing with the duplicate files. As a result, it is possible to bypass3 r; F/ g) G$ x# } H7 W; O' N& q
the protection and upload a file with any extension. Q; I k) E9 s, U
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/0 ]+ L3 ^: X3 s2 e" o- T, C
- Solution: Please check the provided reference or the vendor website.! H+ O# e( w Q# ]
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720: a8 N& M6 f s6 G0 {3 c: F+ F
"
9 N: t! {, _' W7 pNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:) M$ X" v2 ]5 {+ W
In “config.asp”, wherever you have:
/ j+ i7 s& ?9 o3 W ConfigAllowedExtensions.Add “File”,”Extensions Here”
6 I0 U/ k+ U3 t( B4 S7 EChange it to:
6 `! q1 [$ b' {; W- y5 B ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”" \! \0 x5 C9 y4 @2 h/ W
4 m* R8 f- l- Z+ @
/ K! X) m7 ~0 n! L+ w
$ z& s' S8 `" d' a3 w1 W2 ^
2 l- M& E/ h5 z1 x/ W- e0 D( M, ?9 k; D9 q
php测试无效8 N4 O- O I8 o' ~
asp/aspx测试成功:
$ D5 |! d+ j0 ]! o来到/FCKeditor/editor/filemanager/connectors/test.html2 N' ~% k; b1 }5 B
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
3 u6 { }9 h* f: I, f" A
: ^+ V1 h/ h% C- Iburpsuite上传包并修改,repeater
: H5 _1 a# a5 I& S1 Y \2 R9 l8 ]& m8 _0 j名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
4 A' N* ?3 E7 g) _, a% K8 g* u$ F
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
, o) K6 s( i, Z( [+ d* X) o/ K
. u; N0 g0 f/ j0 R7 U9 J |