exploiut-db:
, I5 r1 t6 p( m2 `! M" B$ R+ K) s* Z0 _2 H% e
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
: b6 [3 V0 P( U5 g8 b" h/ P" D! h
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass8 W- ^' P4 x- ]& \
- Credit goes to: Mostafa Azizi, Soroush Dalili1 u! w; P8 i# @2 P% P
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
2 I7 n9 o3 @, G$ {" o- Description:
8 |" U( q, x# o' t$ pThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is; P- ^- A2 r6 D2 d2 A |
dealing with the duplicate files. As a result, it is possible to bypass% k$ K; z$ H6 I8 \" F- X V$ S2 o, O
the protection and upload a file with any extension.2 ]! g) u" X: s( n9 \- }
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
4 p6 G3 L& Z, b- T) Q- Solution: Please check the provided reference or the vendor website.
; ?, o5 [. J; z( P- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
' E! l8 }' M* W. J ^* S"
5 N p9 i- [3 R- u) ^% y/ ~Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:5 g9 s6 \0 G& g! H; b0 d$ v
In “config.asp”, wherever you have:
& e9 v7 c) e% a, A9 y( \: B ConfigAllowedExtensions.Add “File”,”Extensions Here”+ u, J' A" g5 I/ ~; U3 g0 u
Change it to:
8 P2 k1 `3 [, c2 O+ w ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”8 z, s; n0 |3 D. x
/ B+ t& w/ D. z3 K * n$ ^8 E$ H# ]% Z6 h3 E5 n
/ a A1 ]4 W- j
! b; r4 ]8 A( _( R& j+ W) S7 l( @4 A, k* D& u8 y
php测试无效
9 V% t; q; [- G: Hasp/aspx测试成功:( Q/ L& L3 Q4 n$ c
来到/FCKeditor/editor/filemanager/connectors/test.html
* a1 ~% d5 G1 K因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt. W9 w/ |1 k& ]1 @: z# i) |3 b
/ v( E7 a$ ?' ?: Lburpsuite上传包并修改,repeater
( D& m- N5 Q8 g' V. ?4 s, |* M名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
) {$ I; n, J2 D) [+ w. S, I8 Z; L
+ s- V5 w5 T( ~ Q8 }9 k如图,webshell为:http://localhost/userfiles/file/asd(1).asp
9 R& g6 F& ]- H3 f) I* f# }# ?8 o B P4 E/ L9 L$ _
|
发表于 2012-12-10 10:18:50
收藏
支持
反对