exploiut-db:$ ]2 V" U' p: b
2 s o3 n4 m/ a) Q% M3 L7 [' K
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
& w7 f( `' _3 }9 L% f( M9 P# i# s. _; o* u! X3 C
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass) _* Q& f+ L, T" U4 K8 i: z4 }
- Credit goes to: Mostafa Azizi, Soroush Dalili; U/ d: T2 b7 x
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/+ a/ G8 }' n; {
- Description:+ T- s* O+ m7 `3 b) s
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
. o9 U4 l2 I7 x: d6 d- edealing with the duplicate files. As a result, it is possible to bypass! c7 }1 Y8 |% C6 }: [
the protection and upload a file with any extension.
0 ~2 c. D W6 U- ^- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/# p$ w( [& w6 p
- Solution: Please check the provided reference or the vendor website." h2 |; o1 _2 T9 h# O& I7 Z/ k7 S- [
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
, ^* y+ j: ?1 r* ^"
+ n Y- [$ }7 r6 qNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
& p# T6 d& G$ v, l0 aIn “config.asp”, wherever you have:
5 t/ {! t& H4 }5 s7 Z/ U1 Q6 d ConfigAllowedExtensions.Add “File”,”Extensions Here”9 ]- g7 |& \- S8 x/ N. m6 r
Change it to:
4 B6 u d$ ^3 M ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”, a0 _7 a* V# ^9 s
; [2 I0 l3 B4 ?6 d3 C! y
: z# b0 g4 Q" i$ L) u9 {& Y
* h0 j2 u/ c7 s* Z
) v( Q( ^' R& o) T, b
+ _* f7 F: C* G" q4 O% \+ P7 _php测试无效# s# c% \- C( Q: H4 X
asp/aspx测试成功: a3 ]& j. n1 u0 n& z! P7 ]$ M; c6 |
来到/FCKeditor/editor/filemanager/connectors/test.html
0 r3 D) X) h+ N/ Y; W5 i4 \& {因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt- `4 M% n' Q& r- j6 j! r( d
3 H4 h8 H+ l( Y) e1 Q
burpsuite上传包并修改,repeater3 }9 f; k! ^+ K7 p* _- w( j
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
0 W& S# t) \9 l z3 E- F' q0 g8 P+ g; A) z( [: {
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
" _) S( k! X0 x1 q N# U. L" O7 r# B1 s
|
发表于 2012-12-10 10:18:50
收藏
支持
反对