exploiut-db:7 b! H9 a5 N9 T X# I: ]% I
" b9 n8 j& M8 \7 J) Z# }/ fFCKEditor ASP Version 2.6.8 File Upload Protection Bypass1 c6 O# j7 A6 O3 T% O
, _( w q1 ?9 a1 }0 Q. ?
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass( c" n/ z5 W& i
- Credit goes to: Mostafa Azizi, Soroush Dalili+ H& s7 `5 Y; B& H( N0 ], [6 n
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
5 n+ t- m) @( _1 T- Description:
1 L* u0 V1 B- oThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
: o" G' R8 O& r# ?# P9 |0 A" wdealing with the duplicate files. As a result, it is possible to bypass9 A4 U) y" D. f9 G A
the protection and upload a file with any extension.4 z! A1 l U7 G m2 w9 Y) s
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
# p, C( O- N* ?; @; I% r' Y- Solution: Please check the provided reference or the vendor website.- [* s/ Y7 E5 ?5 x7 `
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
- }; L7 o6 B5 X! n J/ |$ ~"
8 z% g5 T" g8 t R- r1 iNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
9 X$ c$ j0 g6 {3 C; EIn “config.asp”, wherever you have:2 b2 y X4 X# x* O4 I0 F' s$ d
ConfigAllowedExtensions.Add “File”,”Extensions Here”! N: M" M0 I5 C. l4 h
Change it to:2 k9 S1 A/ B+ i
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”2 V1 A n# A5 A7 y# r$ I- A, {7 D
5 ~# E2 T/ u9 j" l+ k
4 g; {! W/ _& e0 z. U/ e. R; Q( |
( r6 R0 Z) T2 S5 w$ g
4 `0 m8 r: l8 G; k' z& \% V* X8 V8 M7 ?+ R- v* x
php测试无效, N" B0 L& k! m' ?
asp/aspx测试成功:. r" D' N; x0 X+ S
来到/FCKeditor/editor/filemanager/connectors/test.html3 }3 Y- q0 _8 u9 b+ o* i
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
& I' y' U! l: P
& @+ N7 J6 V* e9 Q3 K- Dburpsuite上传包并修改,repeater
$ B5 ]- H' o3 b/ B# ]& o名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp, U) e6 P$ _9 W, Q8 C
9 \. O2 I0 w9 a. M% C9 o如图,webshell为:http://localhost/userfiles/file/asd(1).asp n/ M8 i2 V3 K4 s. i
9 y7 Z& V! k4 X2 B |
发表于 2012-12-10 10:18:50
收藏
支持
反对