exploiut-db:, ]/ V }4 b2 k! G: M8 P
8 x+ E/ M% p& Z9 f8 UFCKEditor ASP Version 2.6.8 File Upload Protection Bypass: \& r" R1 s& b2 p5 t. M, }
" O0 H8 r3 ]; I( `5 K- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass. d3 J5 f$ e. L3 j
- Credit goes to: Mostafa Azizi, Soroush Dalili5 @+ H1 x! |3 m% r
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
" U K. r# n& ]( D( I- Description:% |* C& R5 C1 U8 L
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
9 f: I0 N# b; Y, }6 O6 Wdealing with the duplicate files. As a result, it is possible to bypass
3 M' p B! }# R$ vthe protection and upload a file with any extension.
, u: `% c% c4 G* X- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/- D1 a" d+ R1 f' Q" I7 J8 O
- Solution: Please check the provided reference or the vendor website.1 l" H& {# @ H) A. t
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd7203 v7 ^. M* B0 f1 Q
"
) O4 m. [8 `; g; o; [Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
% K- n, @4 S( e+ d" q. [8 s( `In “config.asp”, wherever you have:& V5 T) [' q& Z3 l$ U
ConfigAllowedExtensions.Add “File”,”Extensions Here”
( K% [0 d9 F9 M8 K4 zChange it to:
0 u+ h. c5 O, J+ k. o* ^ ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”- @1 R2 Y |$ G0 N0 [
2 D" V S1 N2 n$ x& t( E8 A$ K 8 G9 a# U' p r1 Z. p. l
$ v) f/ h2 Q2 V* z |5 Z7 ^- K: z
3 A7 g0 a9 t& w7 z
php测试无效) M. v6 _) V/ \2 c7 Z
asp/aspx测试成功:1 P/ u! {% j4 L0 Y7 G7 s
来到/FCKeditor/editor/filemanager/connectors/test.html
5 G" q/ C& l- A# E" R( P2 b因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
0 Y; k C, t4 }. ?2 W5 L6 c
! i' C* B5 \7 J& M, h2 h8 hburpsuite上传包并修改,repeater; V; a" ?7 W8 i2 [8 y
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
/ N, C- g6 ]8 Z* m' Y! ^7 j5 X+ W2 v2 O! G3 ~7 t) o; h
如图,webshell为:http://localhost/userfiles/file/asd(1).asp5 N; m1 _5 j! ~& T
( R2 C$ p8 ^' _/ g! t& ^ |
发表于 2012-12-10 10:18:50
收藏
支持
反对