exploiut-db:7 o5 A9 ^! e9 L ?
# j8 e% F; k6 g; {0 z1 _! U" Q
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass& Q Y6 a# C9 U: S% K
! A% O4 Q" v) ]- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
, I) o8 E$ o& L6 s7 I- L- Credit goes to: Mostafa Azizi, Soroush Dalili
# N+ T( u( j$ [. |$ c+ {- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/# D g6 [9 J' H# @9 y. p% T4 B. \
- Description:6 f4 G6 h3 i$ `8 t1 d
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is( y' X4 N# W( o
dealing with the duplicate files. As a result, it is possible to bypass' s0 O/ |" t% L
the protection and upload a file with any extension.2 Q" h+ e( C1 A; h& Z: F, h
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
$ Y: X4 d5 d( l2 s. d- Solution: Please check the provided reference or the vendor website.% f) X M2 d& ?& C2 e y( {
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
- {. E6 x9 |4 g9 o"4 e( A) g: ]6 j# `0 {! o
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:& ]" Z0 M6 H" n9 z
In “config.asp”, wherever you have:, z' J: h6 f. ^. T+ S+ x
ConfigAllowedExtensions.Add “File”,”Extensions Here”
4 K# f$ s, ~) a! {Change it to:/ s4 b- U5 I1 k! V3 |0 W
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
) j/ [; @2 S( K! i8 g( w! z* o' K; ]# F% o( h3 w
8 U; n ]* Z: a z* c
" N- \' }) Q3 t3 ~/ A
2 F$ ~$ w* \) k: [1 J
* O& o3 w4 w! i$ T/ N [+ U
php测试无效
# u0 I+ m0 m5 p3 q4 y gasp/aspx测试成功:: s/ w3 B8 Z( ]3 O: |
来到/FCKeditor/editor/filemanager/connectors/test.html& d! j, \3 J& S! k8 t' T0 U3 X
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
1 d9 v, v. z/ } P, q1 D
* ~$ ?8 Y5 H* Sburpsuite上传包并修改,repeater1 m+ ~$ x' A- O: d& q$ z
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
& Q$ l8 C% n* Y7 q' U* O I4 A [" m
如图,webshell为:http://localhost/userfiles/file/asd(1).asp6 F1 x# n7 n* }7 i+ t. s6 o
+ [7 i* Q$ c2 ~
|
发表于 2012-12-10 10:18:50
收藏
支持
反对