exploiut-db:
7 A1 ]4 j, {* l2 q0 S$ u
- M$ h u* @/ k0 U+ v+ AFCKEditor ASP Version 2.6.8 File Upload Protection Bypass6 R5 F6 q, J f( A
0 @$ y2 Y5 ]8 E8 P$ N A
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass, k6 g, [7 n* C: a
- Credit goes to: Mostafa Azizi, Soroush Dalili
% }" y# W0 U% Q, N' E$ i. G- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
7 N% y6 X1 W) V" V `! ]- h- Description:3 L. Q! }/ R' h
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
3 ^" ?7 Y* ?8 f* m% r+ T1 B e/ b, c" Hdealing with the duplicate files. As a result, it is possible to bypass
9 R/ w( i$ W' A& S Gthe protection and upload a file with any extension.. `+ }3 R- i* s& ?& A+ H6 H$ n
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/7 d$ s& t, ^5 B8 W+ |7 k0 k/ ~5 ?# H4 G
- Solution: Please check the provided reference or the vendor website.& r$ P* B; R, u7 t V
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
9 c$ R5 y5 w5 j7 Y9 {1 D"
W- H% A" @" t$ oNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:1 S) B* i) u( z/ ^( ^" d* A8 V
In “config.asp”, wherever you have:
2 Z A3 i. d6 ~# J0 A: n% m1 y( A ConfigAllowedExtensions.Add “File”,”Extensions Here”
5 l$ k5 r5 {1 _, uChange it to:6 u: j$ \: m9 ^: r9 @
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
' h0 J) }! l0 R0 o9 d* b) I' n
. j& O% P' v- K( f
6 F H' P8 i& ?# M
, _, t6 W) C% h0 K8 r. |2 r& v
5 P. ~+ P& Q v! X& l& k; l, @& x
php测试无效
3 P( F1 y& O( W% D1 Basp/aspx测试成功:& T# d7 u6 X0 y6 T6 B7 f! n
来到/FCKeditor/editor/filemanager/connectors/test.html' [4 y" s( F4 H# N! `
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
% ]: e% n$ b* r% Z2 R$ v& Z
* z6 O5 `( Z6 \- Qburpsuite上传包并修改,repeater9 J4 b$ B$ H( ?7 o6 g& D) K! C+ |
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
. L5 J: y( l |% O. q; u. s# I/ i0 T# O p7 H, V
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
( e2 J; M! U/ Y7 E, _3 u, b! s, E6 P! G$ B
|
发表于 2012-12-10 10:18:50
收藏
分享
支持
反对