exploiut-db:
- L) e! P8 z- ]% o+ @$ k& T/ o8 H( T* D
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass6 R% q* u# w* ~% r) t0 b6 Z
& L: ~7 S7 S( a# U; p- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass6 C* C& O5 M# W" p
- Credit goes to: Mostafa Azizi, Soroush Dalili! |* _& o" p- s3 b2 _
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
& B* G- u, C# m9 G7 D: q# c- Description:3 b0 i0 A6 v9 {3 ?1 X' Z4 {: z
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
# d& R- s/ G5 j: q" qdealing with the duplicate files. As a result, it is possible to bypass9 w' A7 G, x8 V% \9 F6 ~
the protection and upload a file with any extension.
+ B! S' L; o- I" m- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/5 m7 } W( ~4 \- X6 z# d: v0 S
- Solution: Please check the provided reference or the vendor website.' U7 J& A% {7 k
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720+ V+ E' s0 q) B- k W
"* J. t" v4 N4 `0 t
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:' I4 V+ `* l) Y3 |
In “config.asp”, wherever you have:& d4 z6 J: _) F- Z* T1 s
ConfigAllowedExtensions.Add “File”,”Extensions Here”, _4 W& v( V/ p: l* r- m3 |3 `3 `
Change it to:
; a8 v: h& R& M$ t$ V ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
4 y2 S) f$ p( R: r* |5 @% T
" v/ e* q( ^0 A9 a7 _# o0 m" l ; f( o: M& N8 r/ n1 |5 v+ V
# F( ?8 i& a+ y4 Q! _ # t# d8 t- |2 W5 Z. f
' g! d2 N/ e1 H# M; N- z, w; {php测试无效
4 s2 M( |8 a3 d& rasp/aspx测试成功:, O$ m$ @, \3 n7 k2 ?$ n: f4 P
来到/FCKeditor/editor/filemanager/connectors/test.html
( H6 |8 J, [& r因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt. D+ Z' b3 U: S" y
, H2 a# E7 _* H& xburpsuite上传包并修改,repeater$ e# E, G B! F0 L1 ]
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
4 F- l; }, b% |
$ {8 d9 ]2 o6 A1 z2 h如图,webshell为:http://localhost/userfiles/file/asd(1).asp% O2 j4 J3 d6 v- c
6 Q7 B1 I4 |/ ~ |
发表于 2012-12-10 10:18:50
收藏
支持
反对