中国网络渗透测试联盟
标题:
最新FCKEditor ASP上传绕过漏洞
[打印本页]
作者:
admin
时间:
2012-12-10 10:18
标题:
最新FCKEditor ASP上传绕过漏洞
exploiut-db:
? X0 e) D7 Q, K; Z+ S
, a" f0 m- o3 D7 d/ T
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
+ \! Y! k. b$ W- t( x1 \
- |$ F. A* f' n! w7 D: k; z
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
, i- }5 O; z& q' f7 l Y9 \1 L! a
- Credit goes to: Mostafa Azizi, Soroush Dalili
: n$ x; m9 i( a. J2 I, y) v4 Q
- Link:
http://sourceforge.net/projects/fckeditor/files/FCKeditor/
! p) }4 l1 e9 i
- Description:
. p) T9 c( C/ n4 }
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
3 j, X- p8 ^1 ~6 s# p% S/ d
dealing with the duplicate files. As a result, it is possible to bypass
/ a1 |1 p, e+ {5 ]! W
the protection and upload a file with any extension.
6 s( l7 \3 s. R% @
- Reference:
http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
* \ w/ h) s$ O1 D/ y( \
- Solution: Please check the provided reference or the vendor website.
0 B K4 C, U' \" a) s: f @- E( A
- PoC:
http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
1 _, Y% k8 ^9 z! W
"
/ F3 Z1 e$ {2 C, |4 p, p, ]
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
f$ u9 |& l% T7 I# f7 B
In “config.asp”, wherever you have:
2 G9 A3 l6 g5 R: X
ConfigAllowedExtensions.Add “File”,”Extensions Here”
% R* _1 }0 n" ~
Change it to:
: H! [6 ^9 e4 O2 s+ |1 h4 c
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
2 I5 v" t: u* `5 w1 F- o' t
- c# x# ]( X2 q7 F0 S1 V2 N5 l- ?
) J5 s. U2 `! w) f. m! u
5 j, w4 J9 x9 `* K" S$ o
4 W9 K6 a r4 T3 }- C* |
* Q! _, R- X0 S2 n
php测试无效
* i+ ` \+ G. E3 w
asp/aspx测试成功:
* j+ y) q9 y8 r* m) U
来到/FCKeditor/editor/filemanager/connectors/test.html
7 E8 \8 Z) N8 {
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
2 Z2 B6 k: o7 Y0 r6 V
5 M: e. l2 B& R4 \5 `- I
burpsuite上传包并修改,repeater
( K: M3 A. ?# F
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
_ a8 S, H4 o8 u( H( g/ |
# b5 O2 J3 m- h9 x: C7 ` b
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
: ^# I. k _0 B! ~8 j
. J2 `/ k0 d5 Z* ^' S4 |5 i r
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2