exploiut-db:7 l, U! M/ b9 h& |( r
+ g$ O( {# I# X2 Z0 Y6 oFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
; J- W8 K8 ~0 k: t% l- H; W. D8 [
. z- T9 y& T$ Q- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
; e: w* S1 W1 R* E; E- Credit goes to: Mostafa Azizi, Soroush Dalili
' }8 o [$ }( [1 g0 D8 g0 ^- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
) j+ @+ V* x1 d- Description:0 T2 J0 E1 q- i4 B. ^7 t9 @
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
% [; x) \$ z c) B. o+ l' }dealing with the duplicate files. As a result, it is possible to bypass6 y( h4 Y- R0 i7 ?+ m
the protection and upload a file with any extension.3 X6 d% U8 ?% G9 k
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/# c- ` _: t: |
- Solution: Please check the provided reference or the vendor website.4 o$ k! Y& x, u+ `1 i6 H
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
$ `3 M' ]8 W0 x4 U" C"0 A% {/ z R, e: b" P5 l7 ]
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:- b/ m# f ^5 C) w
In “config.asp”, wherever you have:; o" j( \; ?) d8 w: n
ConfigAllowedExtensions.Add “File”,”Extensions Here”
1 ~" J3 z' R N4 jChange it to:& L9 B: K8 h" S Q/ I3 {& H6 l
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$” x8 w8 m* ]2 m' [
' K- i6 W" O. i0 Q5 _! v
6 V# Z5 a7 J. E' ~" L1 s
1 h( n: j d& o: C* K+ w
: a& y- j% a. V/ F( y
k+ G: f) d# ?, j% I8 R6 lphp测试无效+ X( Z! w- n7 E# D7 ?9 }2 i4 i6 W
asp/aspx测试成功:
! d0 F$ q* ^3 z8 c# D来到/FCKeditor/editor/filemanager/connectors/test.html
$ R4 Y8 }8 N+ x! G2 l因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt K" X N. P# Q) B; A
$ c/ `/ L# Q: u( L7 p5 E3 \" Gburpsuite上传包并修改,repeater, q7 K+ L3 T( a# w! J/ I
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
+ D* }4 C- P' b* L. i) P1 w) a- L4 e$ n( t6 ~
如图,webshell为:http://localhost/userfiles/file/asd(1).asp, M0 o+ @4 i/ I2 e
4 p8 Z" x, t- {( i
|
发表于 2012-12-10 10:18:50
收藏
支持
反对