最新FCKEditor ASP上传绕过漏洞

admin

exploiut-db：

FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
" x* N9 }% N$ V  H, O, T
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
! D$ D4 y% o% [- Credit goes to: Mostafa Azizi, Soroush Dalili
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
8 o8 t! P) w7 w5 I* e2 ^% R- Description:
  S) G% ?7 j0 p! ~There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
dealing with the duplicate files. As a result, it is possible to bypass
: w- x! f3 S- k; x3 z$ W8 kthe protection and upload a file with any extension.
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
6 y; Y4 r4 s" R! Z1 _- W9 T- Solution: Please check the provided reference or the vendor website.
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
"
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
- \; u* l2 Z6 E0 t4 cIn “config.asp”, wherever you have:
+ r+ A) ]* o5 d9 `' W      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
Change it to:
      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”


2 H+ v" k! x3 M  f( Q0 l" N2 Y3 x


php测试无效
asp/aspx测试成功：
- q7 ~! }* s$ w来到/FCKeditor/editor/filemanager/connectors/test.html
因为结合了之前二次上传的漏洞，所以先上传任意内容的文件：asd.asp.txt
8 w* {+ _3 o$ X
) E* V: J& U+ W! w9 z+ mburpsuite上传包并修改，repeater
名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp

如图，webshell为：http://localhost/userfiles/file/asd(1).asp
9 Y( B5 R5 V# y3 V6 s+ \
, G+ C6 Q7 M5 j