exploiut-db:0 i7 ^, \6 ?$ a0 I
/ _0 e% t+ G$ B$ E4 TFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
2 K8 h) b. m5 N& I8 Z2 z, {* X9 U5 p' Q
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
$ ^0 T0 N* R0 h( u; \- Credit goes to: Mostafa Azizi, Soroush Dalili
2 d) x: [! E5 a- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/; Z" F) L7 V4 w+ a" T
- Description:
( O1 |1 t7 N$ R+ T {" B& B$ GThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is. S5 D) P8 _/ ^- I) ?- A
dealing with the duplicate files. As a result, it is possible to bypass
$ V6 b0 D" s; Q- W( n' z/ q" ~& fthe protection and upload a file with any extension.! d$ Q+ h. R1 w) D( p& x, E
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole// ^3 A8 Q. G0 @4 f* @7 f
- Solution: Please check the provided reference or the vendor website.
/ y/ ^- d# z7 M( {- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720' i% J- v9 D% ?! p
"
" E5 V& f: S/ _Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
7 C0 e, A( b: v; P! Z- ZIn “config.asp”, wherever you have:* \/ L/ W1 c7 o3 F% w2 J
ConfigAllowedExtensions.Add “File”,”Extensions Here”4 r$ z# H) A( Z' g _
Change it to:
" I: l0 Z7 t, S# L. j x ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”1 V3 V6 h( L+ D
5 G! j+ l: A! s4 O& s- I
2 F8 J; F$ \$ e5 m/ |6 L
( U0 L* `$ Y, D7 I; N! e% ?6 g2 w$ i ' V/ ], n7 s9 G. x$ A, @2 [# p
3 X6 s" P. m% L- {3 m
php测试无效
1 @6 m( k: k. a6 K. a* j0 m) k# n/ @asp/aspx测试成功:
! A% M. g O% U3 |8 ^/ p$ @% K" f来到/FCKeditor/editor/filemanager/connectors/test.html
3 Q- F; ?1 H# S7 V因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
, M0 u$ @- D* @5 @
6 R7 W1 {5 Y1 D1 L" Y0 G/ U+ Kburpsuite上传包并修改,repeater4 M e) @9 H+ Y7 ?) R" w4 g7 a" \
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp4 C: T6 G3 j2 W! i4 }/ g x5 T) A
) a u% G6 Q( J- f& s# n: P如图,webshell为:http://localhost/userfiles/file/asd(1).asp- Q6 a" j) W# J7 \6 l, [; w, l
4 P; n% G) ]6 c7 M5 \6 [% Y* e3 F5 k3 q |
发表于 2012-12-10 10:18:50
收藏
支持
反对