中国网络渗透测试联盟

标题: 最新FCKEditor ASP上传绕过漏洞 [打印本页]

---

作者: admin    时间: 2012-12-10 10:18
标题: 最新FCKEditor ASP上传绕过漏洞
exploiut-db：
; @# r1 A/ [2 k5 U
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
' _9 }2 [8 u7 [0 g) l* J) b9 L
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
- Credit goes to: Mostafa Azizi, Soroush Dalili
1 b- ^: Z9 i: t) z) R- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
1 }/ I& L' ~6 ]2 S) u( x# r- Description:
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
" C/ K9 _3 n3 ddealing with the duplicate files. As a result, it is possible to bypass
the protection and upload a file with any extension.
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
- Solution: Please check the provided reference or the vendor website.
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
"
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
6 R" B" E! R- Z/ b# t- AIn “config.asp”, wherever you have:
# c2 ^, H1 S, i8 p* c; i* Z      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
6 E; W  U# Z2 h# r9 g0 {Change it to:
, R" r5 X) a5 s* f2 e! d0 B. J      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”



# h6 @2 _7 U1 X* l

. P* \2 E1 _$ D' ?0 \php测试无效
' M6 r- }) a7 S2 O0 g5 Sasp/aspx测试成功：
* }, [1 H2 _9 m来到/FCKeditor/editor/filemanager/connectors/test.html
5 y5 z1 q1 K; X8 N因为结合了之前二次上传的漏洞，所以先上传任意内容的文件：asd.asp.txt
! G2 S. D" ~1 W' `3 z' C0 y
burpsuite上传包并修改，repeater
! F, J6 o8 G* q: R  R) D3 }- T1 G名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp
) _  O% Y) ~" |" c0 Z
/ L# E0 E. ^8 X' }' V9 }8 i如图，webshell为：http://localhost/userfiles/file/asd(1).asp

---

欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)

Powered by Discuz! X3.2