exploiut-db:
9 U- y% y7 _0 O: E5 Y! L2 M1 O' S; ?$ b, d8 N
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass( w! J' \# c. A c) q
3 c& B4 ?2 l7 |4 L" y; a
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass; P) X" N$ K$ u# S# S
- Credit goes to: Mostafa Azizi, Soroush Dalili2 }9 R: Z2 U# v
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
! K7 n' I8 U' a# U; V- Description:$ F5 M9 `6 N8 s
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
' W9 m% m7 M5 L% z" O% _% P9 G6 t8 A% ]dealing with the duplicate files. As a result, it is possible to bypass0 z4 |, t! [3 u d, G. T$ r8 A% q# s
the protection and upload a file with any extension.
: X A" g* o' w; Q j( o, J7 Z/ U- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
& ^0 w6 H {/ C- Y4 A, a, e# C- Solution: Please check the provided reference or the vendor website.
% G6 x1 w: x h& @6 P0 M# K* Q+ _- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720) e' ^- [" c4 |: C r. ]) A
"" B4 I/ B6 @+ l
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:% u+ I+ R; D% r5 y' T8 q
In “config.asp”, wherever you have:$ l9 @6 | k) {+ P# K
ConfigAllowedExtensions.Add “File”,”Extensions Here”
6 _- ]& X. @% m xChange it to:
/ N9 {$ H* h0 K' H$ n- P$ @ ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”: R3 \# e( \( C2 k2 |4 d7 j5 e
% s! p$ C7 [! c
' M0 p; t$ I# d+ H0 m4 a6 Q9 }) W c/ P: T
s+ d M8 q/ `5 e! D ?
2 h: P ? i" m" ^, F# j5 s# S" K
php测试无效7 u! L3 _: |/ x+ R: d2 m! C
asp/aspx测试成功:
* L, O% u# o! B: H" j1 I C来到/FCKeditor/editor/filemanager/connectors/test.html
6 O" A% ?5 Z$ P0 C因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
$ @5 c6 o8 L( F$ ^& l8 M
/ I% ?0 Y* ] Y6 ?7 aburpsuite上传包并修改,repeater
4 F. b! Z8 o8 C" V* Z名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp! \2 J X, J% Z0 U% i" ?
5 R+ _, i; j- o2 w如图,webshell为:http://localhost/userfiles/file/asd(1).asp
5 r# F: v8 A/ U/ C( x8 g( P' C$ w! _0 o$ N: P2 ^0 {& u
|