exploiut-db:# p7 _+ e9 q( R5 h
/ g1 K8 U& ~% R5 Y& E# F
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
, B; U8 j$ E! b: F+ h( j8 w5 o, b3 M2 D% c. d C9 o
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
. r ^, z1 J) K- Credit goes to: Mostafa Azizi, Soroush Dalili( h' [: k: d- W; K) [5 J& J
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/! F" n6 j; r& f3 w
- Description:7 B6 Y; `9 ^" L; {; n8 y
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
5 q; A# J' s" l, r$ }dealing with the duplicate files. As a result, it is possible to bypass) C" E: n; x+ a
the protection and upload a file with any extension.
9 N S( i+ A, l) Z* c7 R- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
' V+ L: [; d) v: l; Y% O. z- Solution: Please check the provided reference or the vendor website.
@ H: v" q/ {4 J9 @5 p9 d/ a- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd7206 J" _$ p$ t- E5 Y
"# Q* | [, P2 a2 Y2 [8 {7 ^$ N2 y
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:& ]* s+ X: V# i& b
In “config.asp”, wherever you have:
/ G* z( ]* V6 @: q5 @3 b$ g) b ConfigAllowedExtensions.Add “File”,”Extensions Here”
. ]; t3 y" y. u! `: WChange it to:3 s1 ^" h5 J; `& j2 Y
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”0 _# z" ]+ J/ Y% k5 F( D
3 u; l. V) y3 S& V+ q( R
) v6 k% X' A1 k8 @: p% G/ _" r! U& J& q7 Q
7 W4 l6 t5 I) C6 ^
" ]5 t9 O. V' ^; ~" R4 P6 vphp测试无效5 ?; W" ?1 s* i" X
asp/aspx测试成功:& \9 d2 ]. S5 X: ~- u6 K
来到/FCKeditor/editor/filemanager/connectors/test.html* p: l+ s7 d, Q2 P' {& T1 [( k
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt/ X0 N4 f* E, X1 I% l8 }5 K) S& |
' h: Z { O( i* L" \
burpsuite上传包并修改,repeater) g4 ?9 e2 [; |$ ~' ^6 w
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp, E* B( j. |# O5 T" ? a g4 @
" w5 H2 U% F% F7 I5 g) d如图,webshell为:http://localhost/userfiles/file/asd(1).asp
t6 D# ?! o+ j w/ ]/ ?$ a6 l2 I( T# j5 `, B; i
|
发表于 2012-12-10 10:18:50
收藏
支持
反对