找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2359|回复: 0
打印 上一主题 下一主题

最新FCKEditor ASP上传绕过漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-10 10:18:50 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
exploiut-db:
/ f3 I) U2 [) _# d6 _! ]% [, |5 q
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass0 p2 S, m! a3 O( j' U2 C1 r
& t( d& x' X4 u6 {% A4 L1 k3 `! P
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
) q$ ~- l$ h  {- Credit goes to: Mostafa Azizi, Soroush Dalili8 g3 l' g6 K& S" k* _" O
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
! n; a+ ^6 w7 n- Description:' F2 o8 L3 g) \. ^' {% n; H
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
0 k- b2 {$ `; f' O; Sdealing with the duplicate files. As a result, it is possible to bypass0 V+ u  b6 d/ K2 C3 l" C
the protection and upload a file with any extension./ L! t: v3 Q5 A& B2 b3 ?; |4 e3 P
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
* Q: v, M) g- u' q) ]- Solution: Please check the provided reference or the vendor website.
! A) r5 I. d- b7 S- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720- ]0 l6 K- j/ I) S4 f8 E; E8 k
"
6 a+ ?1 G2 h% A- Q& H$ ]Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:% G; |8 M/ N( i! r" M2 ?
In “config.asp”, wherever you have:
* K7 w' N6 q3 m4 C+ ^3 y+ c# [      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
5 Q5 W) X9 {' n0 v- Q( z( yChange it to:" ?1 \/ [8 i+ \0 z& u
      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”
! O' Y$ v0 I7 n* Y2 G
5 E' Y" A- a' J 4 ^: \4 w$ @; ?1 x1 R/ x
, ~" o( |- O/ S+ k8 U) g& L

! r5 D' G: x, I; F1 W9 g  i4 a: S
8 \- Y5 p' D; _; Nphp测试无效
5 u- w% P2 u6 Basp/aspx测试成功:2 b  C- X+ E! s
来到/FCKeditor/editor/filemanager/connectors/test.html) [( ?: N  q& E4 U/ q. w- ]; V
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt& l, p) w/ Q: H

1 k9 N! J+ x( jburpsuite上传包并修改,repeater3 T: K7 b8 D  Z4 h
名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp
; b5 x& h( t. Q% k
# B% V1 E# @; S3 }8 H- n# Y如图,webshell为:http://localhost/userfiles/file/asd(1).asp9 ^$ G+ h$ R1 q+ m
5 ~; _- g  r; p; }& {+ X* |
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表