exploiut-db:2 a+ W# @5 `$ ~5 {" f9 r9 N
* U9 |" R8 r O; WFCKEditor ASP Version 2.6.8 File Upload Protection Bypass/ @. g6 D6 F4 T! F) g$ x# F
" s/ x! X% P; r9 @5 g
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
8 Y+ d# g# y6 X* {6 T4 W) |- Credit goes to: Mostafa Azizi, Soroush Dalili
5 M% M( a! l# E2 _% J/ T2 Y1 r/ q- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
; H H. B* w! s& P+ G* F+ k- Description:
4 M0 S+ k3 h; B/ GThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
. U% g7 W. a5 _/ s' u' e- Mdealing with the duplicate files. As a result, it is possible to bypass
* J0 Z7 O- q: m" E2 ]the protection and upload a file with any extension.
& v3 v6 O. w& i J6 M4 H- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
# ^- }9 o( g' @( v# W- Solution: Please check the provided reference or the vendor website.
' n1 e! K* c% |" T+ C- p: x- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
6 K# R5 ^% R5 b7 b"
0 W' N* w9 ?) k! aNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
! K3 a- {* h% \5 _/ VIn “config.asp”, wherever you have:
6 i. l8 z/ e& x( k3 n1 j; l ConfigAllowedExtensions.Add “File”,”Extensions Here”; m' U" e. e! U0 m5 S+ L
Change it to:
% u% x- j- J/ o+ i. `: f ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
$ L7 l4 {. A! C1 L+ f4 R: O. d0 `5 H' n. c1 [. D2 C' }" y
+ \# m" `! r& V: b! B! V) s! _" r/ n+ ] H0 K) P. p1 U- `9 E
& `7 D' O' }! S
( k: J1 B8 N% W0 A1 K* C& Dphp测试无效
8 R6 k+ \/ ~9 D. `asp/aspx测试成功: C, o" Q; g% p: X8 \$ S1 K
来到/FCKeditor/editor/filemanager/connectors/test.html/ ^. z4 P) b( x+ ?2 Q
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
5 x: U( t E- I2 M( e# x. N# j" F8 u5 Y6 K! I
burpsuite上传包并修改,repeater6 Z, W. a) t- x) F
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
) ]8 `) l8 X2 v% P# V3 ?& D5 q0 P; s3 q. t$ @
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
- m! s) k6 V" n4 u3 m0 Z" T* ~, @1 x$ Q( {
|
发表于 2012-12-10 10:18:50
收藏
支持
反对