标题: 最新FCKEditor ASP上传绕过漏洞 [打印本页] 作者: admin 时间: 2012-12-10 10:18 标题: 最新FCKEditor ASP上传绕过漏洞 exploiut-db: 6 B4 h5 o6 n' h* P* X' n 5 |- Q8 Y9 T" E' F! }# p( \FCKEditor ASP Version 2.6.8 File Upload Protection Bypass ; z3 [: \# G% \1 z/ C # C( i+ p# O0 M; k- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass+ f9 z& D5 Q) V% _! K7 O) a, P
- Credit goes to: Mostafa Azizi, Soroush Dalili5 e+ W4 b# Z+ N6 N5 I- G. _
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/ ! x0 ]4 o. v' M; Y/ W- Description:7 Y' u' n* o1 y3 A
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is * `( v' w6 V, ~9 G+ y6 mdealing with the duplicate files. As a result, it is possible to bypass + ~# m$ b4 M; l3 L' |. K; b) _the protection and upload a file with any extension.# y4 O; L% g* x+ _$ L* `( D9 e. W
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/ : C5 n. r2 U5 z4 N3 b& p- Solution: Please check the provided reference or the vendor website. ! e! c" }5 K" M( C- H- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720 ' l# ?9 a! Q* q% \" . p' E5 j3 t9 \* L- oNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:3 W) H; [6 G( I* a; V
In “config.asp”, wherever you have:- G7 P. N, y8 k0 f' V+ t' x
ConfigAllowedExtensions.Add “File”,”Extensions Here” 7 k; k( C) }$ yChange it to: $ c: K, T' D# L ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$” / a. m, H9 @ R" M; H3 Z 8 E, t% O% q+ ~: y1 q / B% U/ R- w! @+ l $ { a7 M2 [+ N! v% W* T( G8 _' V % D/ c2 x f8 {2 G! b( ~
8 M8 h2 } p' d/ i4 wphp测试无效4 b$ r$ f5 }) n% y) S
asp/aspx测试成功: 7 T7 y% V: y; i, e来到/FCKeditor/editor/filemanager/connectors/test.html- N7 C8 s" X2 s f4 ^% X# i2 s: d
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt, b+ A) ^5 n6 i+ U