exploiut-db:
$ K1 a& o3 F7 D+ N9 _
. T& ]3 S" o5 @$ OFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
" m; {0 ~' L) u/ H: B& }
% A- {2 p! i$ {6 m9 j4 T: f: `- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass! F' j1 p' N7 g
- Credit goes to: Mostafa Azizi, Soroush Dalili; L0 u" `5 f& I
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
- c+ G0 e2 _7 S8 v1 N- Description:' g. o3 X8 O; m* T
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is7 A8 j6 ]' J2 ]# J( ~
dealing with the duplicate files. As a result, it is possible to bypass
. F) |: P3 S; G* R. C% l; Q6 wthe protection and upload a file with any extension.
* Z9 |/ N9 f; ?% T- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/) k- L. I9 W6 i3 ^. T
- Solution: Please check the provided reference or the vendor website.
/ Z3 R- D! U$ W) A+ A/ x4 e9 E- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
8 S( e, p$ F" h ?% w- }/ v"
" k9 x6 k3 s @7 I6 m& E3 `1 ENote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
1 k- L% w5 u7 l3 N+ a+ X+ Y8 IIn “config.asp”, wherever you have:
5 E5 w2 G* S+ X ConfigAllowedExtensions.Add “File”,”Extensions Here”; h2 d3 h$ |* w* ]- S: Y
Change it to:! U/ Y( d( I; U; S
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
& ^, W- V, P, Y0 B6 P z8 B6 W( e4 ?
0 D1 J v, [6 Z0 p ) Y' i# Y1 G7 z$ e+ O2 ?1 e
' k$ O( d7 ?( \8 G/ k+ `' |
& O% e- Y4 U: x5 @3 Q) e5 Z7 f F. w6 {9 Y
php测试无效" _6 G* q6 T$ F+ p
asp/aspx测试成功:' M d& S0 @, o& i6 ^% x
来到/FCKeditor/editor/filemanager/connectors/test.html
7 |, |1 _( e! J5 |" [7 R因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
1 C; H5 x2 L6 K% o& u6 k( f8 Y! I) ]; V* ~
burpsuite上传包并修改,repeater
G( N* A4 |. u7 \: I# V名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
0 [$ e7 t5 W) G7 ~$ t: ^, I, F
- M1 V) G2 x% f2 L. c( A4 x6 H如图,webshell为:http://localhost/userfiles/file/asd(1).asp
' d/ B: ~" y( v J; h2 r) w
. q2 }. O6 p7 ]4 o |
发表于 2012-12-10 10:18:50
收藏
支持
反对