中国网络渗透测试联盟

标题: 最新FCKEditor ASP上传绕过漏洞 [打印本页]

作者: admin    时间: 2012-12-10 10:18
标题: 最新FCKEditor ASP上传绕过漏洞
exploiut-db:  ?  X0 e) D7 Q, K; Z+ S
, a" f0 m- o3 D7 d/ T
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass+ \! Y! k. b$ W- t( x1 \
- |$ F. A* f' n! w7 D: k; z
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
, i- }5 O; z& q' f7 l  Y9 \1 L! a- Credit goes to: Mostafa Azizi, Soroush Dalili: n$ x; m9 i( a. J2 I, y) v4 Q
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
! p) }4 l1 e9 i- Description:
. p) T9 c( C/ n4 }There is no validation on the extensions when FCKEditor 2.6.8 ASP version is3 j, X- p8 ^1 ~6 s# p% S/ d
dealing with the duplicate files. As a result, it is possible to bypass
/ a1 |1 p, e+ {5 ]! Wthe protection and upload a file with any extension.6 s( l7 \3 s. R% @
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/* \  w/ h) s$ O1 D/ y( \
- Solution: Please check the provided reference or the vendor website.
0 B  K4 C, U' \" a) s: f  @- E( A- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd7201 _, Y% k8 ^9 z! W
"
/ F3 Z1 e$ {2 C, |4 p, p, ]Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:  f$ u9 |& l% T7 I# f7 B
In “config.asp”, wherever you have:2 G9 A3 l6 g5 R: X
      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
% R* _1 }0 n" ~Change it to:: H! [6 ^9 e4 O2 s+ |1 h4 c
      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”2 I5 v" t: u* `5 w1 F- o' t
- c# x# ]( X2 q7 F0 S1 V2 N5 l- ?

) J5 s. U2 `! w) f. m! u5 j, w4 J9 x9 `* K" S$ o
4 W9 K6 a  r4 T3 }- C* |

* Q! _, R- X0 S2 nphp测试无效
* i+ `  \+ G. E3 wasp/aspx测试成功:* j+ y) q9 y8 r* m) U
来到/FCKeditor/editor/filemanager/connectors/test.html
7 E8 \8 Z) N8 {因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
2 Z2 B6 k: o7 Y0 r6 V
5 M: e. l2 B& R4 \5 `- Iburpsuite上传包并修改,repeater( K: M3 A. ?# F
名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp
  _  a8 S, H4 o8 u( H( g/ |# b5 O2 J3 m- h9 x: C7 `  b
如图,webshell为:http://localhost/userfiles/file/asd(1).asp: ^# I. k  _0 B! ~8 j

. J2 `/ k0 d5 Z* ^' S4 |5 i  r




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2