exploiut-db:5 j" y1 f7 o r q# ?2 j
, l) l1 }! e0 @( M6 \, n" _
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
3 R8 x* J8 [/ A k/ k5 G; T& F& K: T* U; d. c7 f Z) @
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass( ^* C9 {1 [ F. Q4 k9 \4 n
- Credit goes to: Mostafa Azizi, Soroush Dalili8 w: z. K% i/ {
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
& v" @( c8 H$ |& H- Description:
: Q" p+ v* r5 Y" N% m* q3 D. @There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
- k# E" @4 j: J* k) Pdealing with the duplicate files. As a result, it is possible to bypass/ C7 W- m# o, |
the protection and upload a file with any extension.
9 Z( Z* m) w$ X- R4 l% m- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/4 l' n7 S4 `9 K4 T9 [3 e
- Solution: Please check the provided reference or the vendor website.
# a5 w& P' }: x- p9 I- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720+ F; u3 @5 X; c1 h) x
"
, h' j3 W8 f" I0 P$ `Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
) c% m+ p& b. y0 C, J9 e% ]: j# OIn “config.asp”, wherever you have:
; ]. y% o4 s; d* Z5 Q ConfigAllowedExtensions.Add “File”,”Extensions Here”
1 F/ B: A0 ?8 V. F% WChange it to:1 r+ I5 Q8 W: w. f1 T; \
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
% v$ n2 L( F) r& B' t
+ E; X6 t5 m. {6 a4 D
, b# T9 s( a: q
( W" B' T: i0 d3 n2 S
2 O* d+ V$ V) |4 [, i% ^8 n$ o/ Z2 i5 O3 _
php测试无效
0 {" @: _% l/ D) }0 a$ gasp/aspx测试成功:
2 W1 F5 I q, z/ M8 w( H3 |来到/FCKeditor/editor/filemanager/connectors/test.html5 c# j% g+ a% T/ Y, I: J& i
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
3 C: Z' W, a$ X3 \2 I- i
3 d8 e1 e+ T7 ]* v: Z. N" y- G+ Oburpsuite上传包并修改,repeater
" A# c e. ~6 D) H5 o$ E名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp% s8 G7 F$ l. X6 r# B5 u/ A
) f+ }! w$ y5 F7 M$ k0 D: Y1 y
如图,webshell为:http://localhost/userfiles/file/asd(1).asp: }2 u+ M9 G6 z) F: X. V
7 _! N, U5 X9 I) {' I: ^
|
发表于 2012-12-10 10:18:50
收藏
支持
反对