exploiut-db:
# Q5 V3 _8 I- `8 r2 ~6 O* D* K: _" ^* z' w) O+ u( U3 \
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
0 s( z$ P! G- g/ [
+ S* }5 }8 W% @$ m: A4 a, x- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
: l7 Q% @2 r6 y- Credit goes to: Mostafa Azizi, Soroush Dalili
+ L1 o% n' g4 t7 ?- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/! z% ~: t& h" g4 Y2 O
- Description:
x0 s' D- G7 v: p# c$ gThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is2 e3 t5 `* y& W3 F* S5 C
dealing with the duplicate files. As a result, it is possible to bypass
% R! o* q- z/ D7 Qthe protection and upload a file with any extension.
, c5 X. D P0 a: ~- H- r- D- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/5 \9 J: w' B0 o' H6 l/ B2 Q
- Solution: Please check the provided reference or the vendor website." V9 h* {: f+ H: l1 ~& n+ h* ?
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
; V2 _" ]& Y0 @1 Q/ }: v: @"
/ W2 D3 A2 q0 p! J8 y, K+ E, V9 W) dNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
/ x: m& T( |) }$ x5 R DIn “config.asp”, wherever you have:
/ H8 i2 J+ r J) [ ConfigAllowedExtensions.Add “File”,”Extensions Here”5 N) g2 O+ A2 W7 J7 x( u
Change it to:
$ U$ [/ `- w. w% ^ ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
! h7 y! R, h6 K& L) {2 x* ^0 B- ?7 M: s$ q! I2 m
% M5 l0 |2 I _; _6 {
|: a3 v j0 Q/ S2 N
& w6 F" S' h" k7 U4 J4 Q7 z
4 v r/ K& Y+ M2 zphp测试无效
; h" M. M& w4 xasp/aspx测试成功:
' p( j3 G$ _+ a8 X来到/FCKeditor/editor/filemanager/connectors/test.html
- t, W @+ x$ Y% Q" S; O+ ]因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
* V5 j' b, B2 @$ p! U
3 E$ [, J/ Z1 f8 K$ e3 s" _burpsuite上传包并修改,repeater
% |& g9 ]8 t* u名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
$ Q$ z) o8 W6 k8 i9 Q
* b1 O8 \# B8 \- L! `如图,webshell为:http://localhost/userfiles/file/asd(1).asp
% V* U) l, a C |/ E9 G" ^4 X5 A% u8 N6 N1 u: o* t* e
|
发表于 2012-12-10 10:18:50
收藏
支持
反对