exploiut-db:
) o8 C8 f/ H0 t/ a: L, k T, D3 P& U0 x* O3 H
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass) f) p. X, h: n4 N
1 z: _/ V7 r. w2 S9 I* d# F
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass# T- F4 P& h" m% M4 C9 B8 R
- Credit goes to: Mostafa Azizi, Soroush Dalili
* x4 _4 A0 x$ a0 O/ B; a0 V; t- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
* b. A$ ~/ \$ a3 E- Description:
. Q. x$ _- P% f8 j' H7 n" K0 `) yThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is: {, K4 m. l/ o
dealing with the duplicate files. As a result, it is possible to bypass
L5 v( z' u3 `$ `5 O1 Zthe protection and upload a file with any extension.8 y' }. j) j( [0 c2 P
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
% \3 F$ |7 i7 I K: ]$ f P, l- Solution: Please check the provided reference or the vendor website. U5 s9 T9 I3 X4 V9 } C5 g
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720- X7 A/ o1 ?3 _4 N7 C9 ^
"# f* C8 v: H) h7 h3 _
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
l5 ^/ n# a [" s6 ~In “config.asp”, wherever you have:
9 W: B, @3 u; m* D" v5 S' A ConfigAllowedExtensions.Add “File”,”Extensions Here”1 `3 a, @1 M' F+ z$ S. e( U; O. ]: h
Change it to:- A: {3 ?* p: l! [# S* T& c
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
: m# i/ }8 P6 C; R8 @3 L5 y+ y
K5 u. ?1 u( U, d2 U: z
/ \8 k. F2 y6 N$ a7 R7 r
2 S5 K' p; Z* o4 M) F6 d + i' i8 N0 c$ ]8 q
% K( o& r7 Z, k! Q tphp测试无效
3 h. u" }4 r& W# Q& A7 M! Rasp/aspx测试成功:( @! _0 s }. k
来到/FCKeditor/editor/filemanager/connectors/test.html% G+ Q. q0 G* k2 f; W
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
$ a w) e6 q1 Q/ e
6 ` a! ]- D) i' yburpsuite上传包并修改,repeater/ T, I# k1 S1 i' l5 s- U# g6 R
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
& Q1 G( f' R9 |$ [
9 |; ?/ v3 `# e$ s% d如图,webshell为:http://localhost/userfiles/file/asd(1).asp
& B& W, d* q7 [4 n& T2 Z& z2 v/ _# ]! B5 m$ k8 ` l6 ~4 x
|