exploiut-db:
4 X9 B/ q& P: T2 `2 S' C' [% G' e9 E: A+ R2 ~
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass$ v1 |) y& _5 H% T. G
! L: w8 H" \ D% h+ N& g, i- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
! Z+ ]0 @4 t: ~7 Y- Credit goes to: Mostafa Azizi, Soroush Dalili
* F' F/ r/ ^! y' G- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
" H% C: |# A& }- Description:2 C& s5 d _3 m/ X
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
; v1 f/ n0 {9 E# L( tdealing with the duplicate files. As a result, it is possible to bypass( p1 u6 N* E' N ?1 ~1 q
the protection and upload a file with any extension.6 v9 S! h8 Z0 h+ e: d; P. s- m
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
. `& w8 ~" T0 Y; T- Q- Solution: Please check the provided reference or the vendor website.: C: ^1 ^1 p7 o2 V5 H, R* B
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
8 K5 [0 s4 A2 Y. m"; ]& [2 X; N& S
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:" I/ M4 k* Y7 E4 V+ M3 ^! E
In “config.asp”, wherever you have:
3 {! k) Z6 m0 R3 b1 F ConfigAllowedExtensions.Add “File”,”Extensions Here”
4 ~! c1 k& Q& E1 H5 O' o& ^Change it to:4 c6 u; Q3 R! s2 k o n0 @8 o
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
( D( a1 m3 g8 L2 _: t9 n- E# d: h3 R$ g: `5 N! V
9 z* l P3 [0 q0 A, x3 I& c7 ?5 B
; f1 H6 `. E+ _1 H: k( z
- a2 K, L8 W' ~, \. Q
" U8 S3 s. \& @php测试无效
2 k5 g0 w' M/ r5 z S- vasp/aspx测试成功:! ]! l1 ]& s' O3 c* }
来到/FCKeditor/editor/filemanager/connectors/test.html" E$ Q6 H# ^8 G
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt$ L6 e B, j, @
$ j3 ~1 l- [$ _% [& |burpsuite上传包并修改,repeater7 R2 Z0 }, z l% S5 ]; p3 t4 Q8 t* M
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
# M. ?' t! R2 D- n- V" u6 z j& ]% I1 W. p- E
如图,webshell为:http://localhost/userfiles/file/asd(1).asp) a4 E7 z( b* R9 t
6 \$ b9 ~8 M' \: O |
发表于 2012-12-10 10:18:50
收藏
支持
反对