exploiut-db:
. j8 Y" a; S9 F$ \4 l
* C# F- N/ j" j) ]1 s6 `FCKEditor ASP Version 2.6.8 File Upload Protection Bypass) u; J6 C6 J/ r: M
" G/ z" w$ |. s* f/ w; v& W- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass: h, [( p y* }5 f6 b2 A/ H C
- Credit goes to: Mostafa Azizi, Soroush Dalili$ e% G0 q2 C6 K
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
: v: S! X( P& _6 G$ m) a3 x1 W9 F- Description:: X* L, i/ U/ z0 `8 g9 e
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is0 z: O+ ?3 O. O% Q' c4 W1 u2 U' d
dealing with the duplicate files. As a result, it is possible to bypass
2 [! Y" A+ d1 I: @, k. vthe protection and upload a file with any extension.
% ^1 W3 D' p7 S7 n! _; G2 a) o- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/! C0 a d/ f0 a" x" {1 w
- Solution: Please check the provided reference or the vendor website.
1 F+ h C2 G4 b% X1 U, H. }- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720" V. ?7 `: _& }0 i: I V) k( G
"
: X* p+ Y" l, j1 `" s" L! q3 TNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:! w" m3 |) I+ [8 L
In “config.asp”, wherever you have:4 ^- r# Z: \6 _5 F6 q
ConfigAllowedExtensions.Add “File”,”Extensions Here”
3 z1 Z" E) e! y0 P+ yChange it to:5 Q5 ^: _; @( M# |! u% @
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”6 U. t T, R- O- [& M$ k; Y
2 [# I! c' g% H: s: I; s% p / Q2 Y1 a* C* M
/ d2 C. }7 @2 N+ ~0 R
' u9 |. h# Z V3 Y0 L- B+ V' R1 S% P$ _$ L
php测试无效 e( B$ _+ h; ?
asp/aspx测试成功:
4 z# D' X4 \! b& I, v来到/FCKeditor/editor/filemanager/connectors/test.html
( E2 \& y0 X) M$ R9 l因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
+ o6 [% C; n5 r5 @+ f3 d: ?7 o& a6 D5 {8 ?! K; k
burpsuite上传包并修改,repeater W" Y: B5 f$ o9 T
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
+ i/ f- X% E8 X4 k4 m- y( W" c' X+ U+ U/ N5 @4 Z
如图,webshell为:http://localhost/userfiles/file/asd(1).asp6 K6 `. K" C4 _: i
7 J y5 X% @2 a |
发表于 2012-12-10 10:18:50
收藏
支持
反对