exploiut-db:
# \ j( N# K6 W4 u- d6 z% t* Q! W
q9 X% y8 K5 b1 R& y. |FCKEditor ASP Version 2.6.8 File Upload Protection Bypass7 _& b1 T4 N) Q6 ]6 m& H; D
( ?! T' k, R: f. U( l- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
" |: i' \7 ~. B+ _" w6 K- Credit goes to: Mostafa Azizi, Soroush Dalili( {( n. M8 M1 J1 q' ]4 F
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor// c4 q3 L3 L; I
- Description:: M; W6 e4 h v9 r/ A! x \
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is0 T- t) d: A0 C; E6 B% ^
dealing with the duplicate files. As a result, it is possible to bypass2 s3 a; S- q- |; j$ Z+ ]
the protection and upload a file with any extension.' y# [2 I. |1 j& M* G( k; {
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
, @) B5 f8 c* v0 ?& J3 @8 [+ F+ V- Solution: Please check the provided reference or the vendor website.! A% [+ ]8 l: b3 l9 H9 g5 a( g- h+ t
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
4 O0 l: k: i& C; r9 r"
! i2 r6 Z6 R; M2 }# N1 d& r6 FNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:, ?# H( a4 ?' p! p/ o# Q( ~
In “config.asp”, wherever you have:
4 q% T& G+ @3 v7 s0 k ConfigAllowedExtensions.Add “File”,”Extensions Here”) k9 ]% J1 O/ b7 B. F
Change it to:: R$ W T$ d9 ^7 |5 j7 K
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
: @: L, [5 H, j# _+ l
" j8 B4 A/ K% B7 N% F+ P2 c - i3 Y, m+ ?) A! `' Z1 i; C
, d* d3 E# @2 q7 R
/ D ?* V1 s$ A$ K( j% ^# ^( _: B2 P
php测试无效
) m* l, G; E* U+ {; R7 u) D& easp/aspx测试成功:, l5 u" F# ]3 H+ I6 {+ l4 V8 A
来到/FCKeditor/editor/filemanager/connectors/test.html* k& m; h) v5 T' I9 \
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt! ^, G2 i0 O# D, f/ Z, n' i [
) o( ~" E4 ]3 @5 H |7 V+ M& _4 Jburpsuite上传包并修改,repeater
+ y \/ I' }6 F( [5 c8 e名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
& R; ~+ c# ]+ @' n4 @' e3 v4 n- J: H
如图,webshell为:http://localhost/userfiles/file/asd(1).asp$ [' n& Q9 U# D' d
* k3 _% R- a: f T
|