exploiut-db:
% K( a( g* b8 k4 ` A4 u7 ^& x. h
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
% [. y' b9 d5 f
- @* d0 j# K3 a+ i l- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
1 L% v! G5 X0 q- Credit goes to: Mostafa Azizi, Soroush Dalili" I7 n; C3 {) P+ @6 N2 E1 M
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/6 B( R. Q# e, U' U
- Description:7 j* y' Q } a& E U
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is d5 x0 {4 E5 Z' x5 y& w* N8 g
dealing with the duplicate files. As a result, it is possible to bypass6 ?; ]# [ e% }
the protection and upload a file with any extension.* f, [/ l1 d( O& E f; }9 f
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
! ~$ E' k' w" @4 \" D- Solution: Please check the provided reference or the vendor website.
/ w% O0 _; b) D* r F. G- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720& P/ J9 N( G6 L, T2 j- z
"% f6 u2 c+ o1 `- {
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:8 `" r0 r( B6 i2 e* V3 c% I7 U6 h
In “config.asp”, wherever you have:4 \! O/ \# j2 s5 p* R( D9 J1 Y
ConfigAllowedExtensions.Add “File”,”Extensions Here”: T5 [% U& h8 S2 Q V; P
Change it to:& X7 [- I# X. w$ Z, o/ M6 e
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
( L1 D3 S5 r, q- J5 c. @ s H
) @! K1 f# \/ l; _2 }) j
2 W" Z4 t" t+ Q/ j/ g! d% X# ]$ O. m2 p2 [1 Q
! Q% m$ ~& l$ ]: M" V
/ y! e9 E. p' A
php测试无效9 i6 T% n) ]) h# T. h# t) z' s
asp/aspx测试成功:
/ @. ~, I8 p6 D) l1 o- |9 V来到/FCKeditor/editor/filemanager/connectors/test.html' }6 |1 ]) o. \! D
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
2 c7 V" E4 K3 `9 r4 z3 U$ }/ |" V: k9 s
burpsuite上传包并修改,repeater
5 u* m1 J. l7 y1 [' C名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
9 A7 x0 L8 z( Y% V, I3 {
8 Y, o( D7 R# z如图,webshell为:http://localhost/userfiles/file/asd(1).asp+ \* ^. R) a6 a8 R7 W- b0 s
7 b$ i+ F) c+ ?. v8 `, G" p3 [
|
发表于 2012-12-10 10:18:50
收藏
支持
反对