找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2356|回复: 0
打印 上一主题 下一主题

最新FCKEditor ASP上传绕过漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-10 10:18:50 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
exploiut-db:5 g7 q* M* C* b) z) N+ @

2 {! ~5 `9 L) r2 n9 M: c. DFCKEditor ASP Version 2.6.8 File Upload Protection Bypass6 E5 n+ V' M. H, ?& b; E% x
% y9 J9 O/ y- p0 y. S) z" O
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
: o4 h9 H2 G1 M  C- Credit goes to: Mostafa Azizi, Soroush Dalili4 Q, m8 i# Z$ |2 _  p
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/& k, N" Z+ a) L' w" D. N9 I# U. ^
- Description:% g- G' @1 H% p+ d& W3 }  g
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
- K4 S8 ~! m) n; Ndealing with the duplicate files. As a result, it is possible to bypass
7 f  q0 m3 O; `* G; ?, uthe protection and upload a file with any extension.  _' `1 e- ~! v+ P
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/9 h3 x6 q/ S5 v3 w1 X# k
- Solution: Please check the provided reference or the vendor website.
) i- X6 r) }3 \( w- u# r' J$ ?' W5 N- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
: `# L+ ^7 k! I% j; w2 P" M"
; Q, W5 u( M* s& KNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
- [8 A, b5 ~& Y/ `$ U4 G+ Y) mIn “config.asp”, wherever you have:
& j5 |7 B5 a% @      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
; }8 x% D: l; X( q$ v+ MChange it to:/ j# h8 m: C( d& i9 ~
      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”: T6 |* z* T6 G/ K
" p" R1 r9 X# ?9 y" r$ M

+ t4 {/ M$ R/ T# r" F9 z+ I
/ y( v6 j- k0 B0 Y* m8 G " d1 w# i; I7 z7 i: X. [
1 g- m. W+ l% D
php测试无效2 o- g% {; w4 G  T
asp/aspx测试成功:
" {" `% R+ |4 z! y来到/FCKeditor/editor/filemanager/connectors/test.html
4 f1 A% C1 B8 L3 W6 P# R, L% u因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt, l6 M( B8 T6 t) f% C

) H% e& u* P! v3 cburpsuite上传包并修改,repeater
! u' P( N& a6 ~7 r: w! B名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp
/ O. F) p. D, Q3 L. ~7 V+ ^  x, P! ?$ ^' j. g" I
如图,webshell为:http://localhost/userfiles/file/asd(1).asp& `; e7 N" K7 H6 S

: Z  a9 ]. P% Z0 {
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表