exploiut-db:0 a# u6 i4 g/ W- u, p9 r
7 r* p: y( X+ Z* T, \FCKEditor ASP Version 2.6.8 File Upload Protection Bypass+ [' x# ~$ T) F, {+ q; e# T6 N" ]
, ]* ]! e1 I. r' S" g' m0 `% g; \
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
9 T; E$ U7 [! i1 J6 d" O- Credit goes to: Mostafa Azizi, Soroush Dalili7 W* i& w: M( M3 k( T1 Y" ^" c
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/* w! ~3 q$ {, B& ]
- Description:
4 U) ^- v' `8 r! ^" o# KThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
3 I# a$ F& U1 g" Adealing with the duplicate files. As a result, it is possible to bypass
/ l8 C$ t/ Y7 }0 Z" }* ^the protection and upload a file with any extension.
: X) I8 p' B7 } J" e% g- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/( V. g6 f& R# W- M4 F
- Solution: Please check the provided reference or the vendor website.
9 O2 F5 S5 r& Z0 N: E- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
* `: N% q# A1 ~2 C! |"# W; M: }( b9 Z2 i9 Y
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
+ H8 x$ F- }* M2 L+ wIn “config.asp”, wherever you have:9 Y9 Y6 b' u$ q- W/ P" @4 C
ConfigAllowedExtensions.Add “File”,”Extensions Here”
: j& ^( b% d6 |1 EChange it to:- c! c/ a7 X6 W; D
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”* u) ~$ s o$ T' _: Z
0 U& J# s, F z B- O1 u# t
& i1 w9 |. l, u2 E8 u6 W+ G. E% o1 A+ F
, N. o! }% J0 h# U2 W3 ^8 }3 s5 `
* a/ A" c! r2 qphp测试无效
' j8 o* W0 c! }; masp/aspx测试成功:1 {. P3 ^2 p. O1 w/ H0 J/ p
来到/FCKeditor/editor/filemanager/connectors/test.html5 D& r/ `4 \; Y: i
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
& `. Z) n0 Z B+ f6 q% S: }* h- P% `; X
burpsuite上传包并修改,repeater
/ y% C( p' b# i8 j/ n) M名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp( Q7 D- z, Q* {
, S: G m! M. \2 N& Z. t% h如图,webshell为:http://localhost/userfiles/file/asd(1).asp5 }3 C7 E& N& w. S- w
. k$ s" y# d% @/ l$ z |
发表于 2012-12-10 10:18:50
收藏
支持
反对