exploiut-db:
7 }' Y; A I j, w, q9 P
8 w: g7 k; a. H" e: B( u: hFCKEditor ASP Version 2.6.8 File Upload Protection Bypass0 a: f6 u. e) b; ?) M8 ]
, s4 ]* a6 w4 j& Y% H: t- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass/ |9 e+ V. p- F. d; @' I6 L" d, b! Z
- Credit goes to: Mostafa Azizi, Soroush Dalili
0 W: u9 J. Q2 A ~- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
% k9 |& Q6 i* @) Z' }% @$ l- Description:
( ^- N# n5 n: I8 B& kThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
3 {+ {0 A2 z+ v4 J4 @2 p r6 F- tdealing with the duplicate files. As a result, it is possible to bypass n" p7 G9 E2 t) b2 h
the protection and upload a file with any extension.
; k5 F6 d" U6 W Q- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
6 A4 h" V- @) K$ R- Solution: Please check the provided reference or the vendor website.7 e, D; j) ^) {8 M. z5 g
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd7209 B9 J2 P2 s; I$ `: x" e. d
"2 }' J+ o# K: L$ e
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
/ e# z2 l1 |' u' O/ d3 x: nIn “config.asp”, wherever you have:! {/ ?. X- c+ h, Z& r; F1 N) Z
ConfigAllowedExtensions.Add “File”,”Extensions Here”8 m/ p7 Y- Y( e2 e: L& N4 l9 N) G% R! \
Change it to:
, t! l# b" q2 ]0 d( ~4 x, } ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”) V# g& W: D. K! }: ?. x; E
7 A$ ]' Q% R0 w& V
! N$ N) o" E: l1 z
h5 l, _6 ]# F3 X: h5 X \; s 1 z4 [9 ]- R! A$ V) S$ @
9 d1 j! t' `% ?% g
php测试无效0 `" _8 t( w' U4 @+ B1 e& [
asp/aspx测试成功:
+ ^; L1 e) p7 [来到/FCKeditor/editor/filemanager/connectors/test.html
1 `! ^8 I' k; n- t9 t因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
8 @9 u; C, N5 C% Z( o9 X2 D: C! ]- s8 m2 G, _
burpsuite上传包并修改,repeater7 v" j% z& o7 |
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
# T8 P5 Y$ u, S8 } k# L5 ?
% R! P, n) C+ ~ k* C4 N# ~如图,webshell为:http://localhost/userfiles/file/asd(1).asp4 d. G+ P Z; u9 c+ W9 i0 c
. [- J- e1 t+ s! k' r
|
发表于 2012-12-10 10:18:50
收藏
支持
反对