exploiut-db:
" {4 u2 o# w+ m0 d
6 M: J: J$ A HFCKEditor ASP Version 2.6.8 File Upload Protection Bypass; |$ [9 g! A! n( m: I8 }
! A0 [" B( f; i! l# q: d- z! S2 b7 C3 L
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass3 f. @- q: U: j0 j5 ^* l) d
- Credit goes to: Mostafa Azizi, Soroush Dalili
$ V, P: f5 E& b4 u& ? K- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/3 F9 `8 s/ h" Q+ \! G" c
- Description:& j" e& W- e: R( `7 d
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is( M' N/ t1 t# r: D0 y
dealing with the duplicate files. As a result, it is possible to bypass( W/ r$ |8 U, i# t' L6 Q
the protection and upload a file with any extension.
3 I* J0 E1 G; _( W; m6 u- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
# O8 ^! Z' \/ Y Z- Solution: Please check the provided reference or the vendor website.) h4 @! R% _" s# |
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
, U! N4 l; z/ D; u2 n": A4 [( P! k: k* F" M
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:$ } ~! g! A7 P+ [! M
In “config.asp”, wherever you have:
$ w. {9 \# V% W. J+ I# D; F/ } ConfigAllowedExtensions.Add “File”,”Extensions Here”
: j! s. x! E% S& V E8 jChange it to:
1 m) P9 y, D- ?) [+ u$ F L ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”6 ]8 s) y. e/ `
* K0 f2 @7 d1 `5 h$ W* O
, u( I# T' s0 q5 G G9 g
" a% Z8 v Z* e6 |: y
( `& f# r' R3 J5 F4 a
- l+ A( B! r9 c1 y( `php测试无效* @: ^& B' {: O' J% b, F
asp/aspx测试成功:/ U0 d8 T' ?4 ^5 w+ }
来到/FCKeditor/editor/filemanager/connectors/test.html' [. L: b0 p5 h. l
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt' O4 m- X$ P6 B4 v. A+ G; a
8 G2 y4 p# Q5 N' Z8 p
burpsuite上传包并修改,repeater
7 P: b! D5 A6 ?( w0 @; c名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp% v1 M7 E3 u3 G, k6 O" c
+ y7 t+ C! T6 o0 r2 U0 u7 P如图,webshell为:http://localhost/userfiles/file/asd(1).asp
/ L. R. z( k1 @1 H5 p. V4 T) ?$ d6 c( R" C! k% V
|
发表于 2012-12-10 10:18:50
收藏
支持
反对