exploiut-db:. }+ Z c# @' h6 F: m( T; ?
5 P6 Z4 \& q5 A; E, Y% QFCKEditor ASP Version 2.6.8 File Upload Protection Bypass+ S& ^0 ?% E( X' s* ]
: g9 @) S8 u8 o( c1 R- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
" L0 U5 H4 ~, U& F. |- Credit goes to: Mostafa Azizi, Soroush Dalili
! B; y3 k& T4 j; C- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/1 C- }, q, R3 U* X8 }0 E. S
- Description:! M# S- @9 u! r0 f/ B$ W2 L
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
1 U- k) F% @, Z" Adealing with the duplicate files. As a result, it is possible to bypass3 b7 [ }; @' F: j
the protection and upload a file with any extension.1 o0 i2 z6 f: B; ~5 o( x
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/* S) {) @7 Z% b7 u2 g3 {
- Solution: Please check the provided reference or the vendor website.$ @' e4 r9 H, U; l
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
+ |$ ^3 T4 J# K$ P, a. u3 X"! g6 n! L! z7 E5 m# ^/ O8 y' Y
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
2 @4 K2 `8 w) @0 P* bIn “config.asp”, wherever you have:; D. ^% F0 G( C: e0 ^9 F2 t
ConfigAllowedExtensions.Add “File”,”Extensions Here”' d: `$ T+ @1 ?/ M8 G; V
Change it to:
1 V9 M" ~( R) a! u, {+ z ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
. E _6 D: K) u4 d1 `0 n0 U
! Y- q: i' z( G! m
E8 } d3 o. D
7 }) a; G7 q0 i) n { 8 j3 Y6 U) Z/ k5 ~& T! d) R
* E7 L3 B- L/ ?# b+ z, x" _( Aphp测试无效2 r3 L/ i* e! ^5 K# W
asp/aspx测试成功:# I# i1 c8 e7 l/ M+ j! ]
来到/FCKeditor/editor/filemanager/connectors/test.html
0 I c+ Z* t3 i! Y3 \+ M9 n" Y因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt- M6 [3 ~7 x P, e) O v" F
$ j3 u6 O: v- y5 F0 U1 f* tburpsuite上传包并修改,repeater R: s. M/ t( i/ q6 e
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp. u$ b' @- M/ h$ u: Q" {- ^0 V
% u- o0 a' d: F* q
如图,webshell为:http://localhost/userfiles/file/asd(1).asp; K# p2 T+ I. Y- C0 y
7 h; Q% O( w: d9 z- w. z
|
发表于 2012-12-10 10:18:50
收藏
支持
反对