exploiut-db:
; N6 `7 I5 f1 ^! K( A
$ l" U; o% o, @, v8 e8 W z2 G( GFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
3 L1 Q1 M. A& T- i2 s& l o9 ?
) h# x; B7 C- G |- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
0 _6 d" |/ t6 |9 Y2 E- ?- Credit goes to: Mostafa Azizi, Soroush Dalili
2 _5 B% m1 C$ _9 C1 C$ @4 \- C% J, Y% Y* B- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
- W- R* C q7 W+ `$ W# y- Description:
4 I, o8 K5 c( T2 OThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
3 ]/ N8 }) Q4 K6 S- R/ Gdealing with the duplicate files. As a result, it is possible to bypass2 T* V1 {7 n% }2 ^( Z
the protection and upload a file with any extension.$ g) D: _( v @) K
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/3 J6 f+ a- R) X
- Solution: Please check the provided reference or the vendor website.! O% L: j5 L7 |& w" m" U+ @
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
, g+ F# J* X# f* {"
. m3 b5 y3 \4 x( r% P jNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
. z( [6 k. y2 v5 l' XIn “config.asp”, wherever you have:' r/ U. h8 d$ f" g6 G
ConfigAllowedExtensions.Add “File”,”Extensions Here”% z; _+ y3 E% J, N- J
Change it to:+ @8 G6 J4 q9 u& O% C% u
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”$ }5 B, b k5 t+ ]5 [+ b
5 u: ~' ~9 \- p0 f* M: ~
% W7 n8 R% m- F3 i
8 j/ q- a( D; @6 w' S0 s0 e& w7 W 8 K7 }4 _$ O% S+ ~ Y9 k+ ~
9 i/ t$ s; C5 G& F* }& E" Ophp测试无效
- ?2 ]2 @; W7 j. q% zasp/aspx测试成功:
+ d% l0 E& R$ [6 b& Y2 e来到/FCKeditor/editor/filemanager/connectors/test.html
_( _4 }2 x6 A: k因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
: P5 r) E( ?* A
0 J4 \! }$ X r+ M1 cburpsuite上传包并修改,repeater4 T% P# C2 L& B! I" Z6 R
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp5 y* ^; i% [( J
) g1 J' V" U. C6 g: B如图,webshell为:http://localhost/userfiles/file/asd(1).asp
+ l: {$ Q) d9 i+ D
( {% y) i2 q u m/ t1 K/ i |