找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2378|回复: 0
打印 上一主题 下一主题

最新FCKEditor ASP上传绕过漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-10 10:18:50 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
exploiut-db:
9 U- y% y7 _0 O: E5 Y! L2 M1 O' S; ?$ b, d8 N
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass( w! J' \# c. A  c) q
3 c& B4 ?2 l7 |4 L" y; a
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass; P) X" N$ K$ u# S# S
- Credit goes to: Mostafa Azizi, Soroush Dalili2 }9 R: Z2 U# v
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
! K7 n' I8 U' a# U; V- Description:$ F5 M9 `6 N8 s
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
' W9 m% m7 M5 L% z" O% _% P9 G6 t8 A% ]dealing with the duplicate files. As a result, it is possible to bypass0 z4 |, t! [3 u  d, G. T$ r8 A% q# s
the protection and upload a file with any extension.
: X  A" g* o' w; Q  j( o, J7 Z/ U- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
& ^0 w6 H  {/ C- Y4 A, a, e# C- Solution: Please check the provided reference or the vendor website.
% G6 x1 w: x  h& @6 P0 M# K* Q+ _- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720) e' ^- [" c4 |: C  r. ]) A
"" B4 I/ B6 @+ l
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:% u+ I+ R; D% r5 y' T8 q
In “config.asp”, wherever you have:$ l9 @6 |  k) {+ P# K
      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
6 _- ]& X. @% m  xChange it to:
/ N9 {$ H* h0 K' H$ n- P$ @      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”: R3 \# e( \( C2 k2 |4 d7 j5 e
% s! p$ C7 [! c

' M0 p; t$ I# d+ H0 m4 a6 Q9 }) W  c/ P: T
  s+ d  M8 q/ `5 e! D  ?
2 h: P  ?  i" m" ^, F# j5 s# S" K
php测试无效7 u! L3 _: |/ x+ R: d2 m! C
asp/aspx测试成功:
* L, O% u# o! B: H" j1 I  C来到/FCKeditor/editor/filemanager/connectors/test.html
6 O" A% ?5 Z$ P0 C因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
$ @5 c6 o8 L( F$ ^& l8 M
/ I% ?0 Y* ]  Y6 ?7 aburpsuite上传包并修改,repeater
4 F. b! Z8 o8 C" V* Z名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp! \2 J  X, J% Z0 U% i" ?

5 R+ _, i; j- o2 w如图,webshell为:http://localhost/userfiles/file/asd(1).asp
5 r# F: v8 A/ U/ C( x8 g( P' C$ w! _0 o$ N: P2 ^0 {& u
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表