exploiut-db:
4 Q: e* A( H" G. t* z% a9 L" G4 R, v, o
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
8 e/ m. u% Q( m% N! C8 ~: b' j3 z; d4 D
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass7 ^7 A4 F, O" Y5 ?7 J$ Q; s' ~
- Credit goes to: Mostafa Azizi, Soroush Dalili
; B- u2 D& u7 m2 e/ l' P+ \3 L- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/. i* T9 ?, l: X- f& ~
- Description:4 p+ ?( s0 n+ s0 B/ ?7 N" P7 }
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is) L1 T5 ?- {$ J- E' m5 {
dealing with the duplicate files. As a result, it is possible to bypass1 a2 b7 |% M- `: W% ], C# f
the protection and upload a file with any extension.' m7 W6 |) \) _6 I0 h. v
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/% W/ B/ k6 E1 U8 ]: s1 f0 l) \
- Solution: Please check the provided reference or the vendor website.
, C0 s+ K0 j( ]$ b7 G- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd7206 t' }" `& N/ [- O" f
"
/ l4 r6 f t9 i+ T \5 ]0 ENote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
1 m: |: ^6 l6 H, F+ VIn “config.asp”, wherever you have: Y% W' f5 L0 a8 Z* F- u
ConfigAllowedExtensions.Add “File”,”Extensions Here”
2 e1 Q* a$ O' Q4 T5 x+ R/ YChange it to:
( f7 G0 H. J8 u5 u h, ]* Q ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$” c4 s# P1 r9 Y! H
, m$ l% L) s) o5 v; N+ X
2 {% O$ v( e$ k, V) T
: z% v" `8 a5 s1 Z8 a 4 F4 L/ F5 H! ?$ L5 w; I
9 n& P+ Y$ X: m& E+ t
php测试无效
, M4 l( W) r, M7 |( ]! N; a3 s4 o( wasp/aspx测试成功:
5 q' T1 R" y P! s来到/FCKeditor/editor/filemanager/connectors/test.html& B& e @. W# p t7 F; @. i8 d+ M
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
' }4 c# G! G+ W9 I6 }7 T3 a3 b
burpsuite上传包并修改,repeater G+ s. R" }) ]# Z0 s, f
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp% v' v" l$ C& U5 U3 l8 J) D' t
: s+ U3 ]0 D9 X1 q! J
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
. s8 ~7 N% @, ~. x; a3 j2 I" G; n5 ]5 x" ~4 R/ R7 H9 U5 @
|
发表于 2012-12-10 10:18:50
收藏
支持
反对