exploiut-db:$ P" l# M8 L" T* ?- B5 H2 I
" Y+ |5 `* k+ R* A& Q
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
x( l! ^, W- f9 [1 z. R( X; i* C" P* G5 U8 S$ D. c
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
& |; E( B6 H6 a) H. W- Credit goes to: Mostafa Azizi, Soroush Dalili A8 Y0 X* g8 ]! o! i+ N
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
% I) O3 F4 v' x- Description:) L+ ]5 N4 z. Y% [
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
9 y) s+ U$ Q' z4 V% w% X$ p% rdealing with the duplicate files. As a result, it is possible to bypass. t- }% g; ~) K" ?- n
the protection and upload a file with any extension.
+ a/ r. w& w2 P/ N. u- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
' V+ d, `1 z% P2 }: N& t9 b# E- Solution: Please check the provided reference or the vendor website., O1 c! b9 ^* v) `% }! a( u
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
6 h! z. M) G" ~6 v", F# P4 N6 @6 X5 X" C
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:( O+ M9 ~, I4 `5 w: h6 c
In “config.asp”, wherever you have:
& |! q* P$ m; w" J B ConfigAllowedExtensions.Add “File”,”Extensions Here”
- K0 H6 N7 @2 E6 [9 cChange it to:. I+ s! s+ u% S: c, A, H1 q* Y6 J
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
2 I! ~7 d1 D( I% T$ |8 s% T! k- p I d/ M* ?( S" A) \0 o- S# y$ k
( c5 E) t/ i) W% L4 T& I0 @$ L' m- M
! k7 P; h, @" d* E+ w, R6 h8 y }5 F% R% X$ F
php测试无效
, ^3 i: }: \! Rasp/aspx测试成功:
6 m1 j6 T. Y" V( I3 G8 [来到/FCKeditor/editor/filemanager/connectors/test.html4 r: D) W9 I6 E
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt0 \' ]9 R O3 h) @3 B
" X* M0 N; J2 H1 s
burpsuite上传包并修改,repeater6 r6 `" w G9 W9 w6 o
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp. P; z4 e: }. C' ?2 h; Y
$ f: x: y" ~% I0 v" u {& I0 T! T如图,webshell为:http://localhost/userfiles/file/asd(1).asp
) h; f6 c1 Q4 e3 X( {
: U0 P6 I* B+ p$ w$ H* ` |
发表于 2012-12-10 10:18:50
收藏
支持
反对