exploiut-db: @8 U4 X8 s/ q+ U9 l' g V
) S7 {) v' q+ @* C# RFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
; A& @% o, b2 }, I* {( ?( J' W) [
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass4 s5 M" I& I) E; z6 c) [
- Credit goes to: Mostafa Azizi, Soroush Dalili
# P! H* i# }" r' A% l, n# ]6 A- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/) y* i6 V0 X8 n: s& B2 k
- Description:7 k5 x( l1 C# W
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
; n9 j1 X% N% D5 Udealing with the duplicate files. As a result, it is possible to bypass
! o3 n) V& \3 U7 X* V. Q1 Nthe protection and upload a file with any extension.2 W6 s$ l- s7 ]# I) K7 Q4 j- f) }
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/4 t3 f; d0 j; m* `" A% e! y
- Solution: Please check the provided reference or the vendor website.1 L6 t0 M! b- [9 r# O7 `
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
2 H$ A' n1 q+ k"- D' d) S" k4 o/ Y
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
& y/ p5 ]) a$ p5 ?$ W. ZIn “config.asp”, wherever you have:6 ?3 T V2 a: W
ConfigAllowedExtensions.Add “File”,”Extensions Here”
% \0 T/ \# s# ~& ]+ p VChange it to:
, o3 O. z# ?) X' q ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
; M. j$ P* ^5 G( K% h
% ^, n3 k9 Y. q) d g5 k : [: H" H5 e, ]8 R* a- b" `
, O& l( U8 S$ A! V
- d1 o4 e0 J }. B3 l" |. `( x( G, d* ?, d& ]0 i P
php测试无效) M2 m7 Z2 L3 r4 B \$ _5 E
asp/aspx测试成功:
7 ` T5 N7 b2 H, d: A! \来到/FCKeditor/editor/filemanager/connectors/test.html
' l/ U/ g, |' H* E6 N c因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
6 a' p* S: }" F; ^7 {& ~$ t* G+ K
( r* s2 ?: K0 x+ @+ b. Mburpsuite上传包并修改,repeater: ^+ X2 ?8 j1 v
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp& F5 T) O4 ]3 F: m" b+ q
3 R( O; _- P6 r) O/ u- T) l0 G9 `& |
如图,webshell为:http://localhost/userfiles/file/asd(1).asp+ T r. E) K9 `2 U0 M
1 G$ P% z+ @1 y+ h* M& H8 F |
发表于 2012-12-10 10:18:50
收藏
支持
反对