找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2354|回复: 0
打印 上一主题 下一主题

最新FCKEditor ASP上传绕过漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-10 10:18:50 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
exploiut-db:6 n8 B- t7 l) j# D# c
! x- b3 K$ Y8 [) d1 U
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
+ |3 Z% H% \. a% B# K. s& O9 G* K; C3 X7 e; t$ c  d# X* h
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass, g6 _) d* ^% i; X! |
- Credit goes to: Mostafa Azizi, Soroush Dalili
  Y- Y; Y. I/ t2 {% D; ]& `4 P+ o8 v- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
+ V' i+ P5 i, g& x* X- Description:
2 A2 \+ }4 K& R, F' F2 i9 K7 @. I7 f6 jThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
) k5 o; \' L2 K+ F) m! odealing with the duplicate files. As a result, it is possible to bypass
# P6 i* T: |% [the protection and upload a file with any extension.
. ^  p4 [) o, G1 m" N& J/ C0 a- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/% `' ~9 ^& a2 ?# D
- Solution: Please check the provided reference or the vendor website.  _; x" y2 S. {- S; S3 B9 I
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720! P' K) Y1 K  E/ @. C
"
/ W0 @2 }9 K3 l5 l9 E! v% tNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:2 w2 R- {' f3 G* `3 J
In “config.asp”, wherever you have:
5 H; A+ I7 y+ w, s      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
3 I8 R/ B8 d6 g( p9 y( h% E, hChange it to:+ y- J5 L: f) \2 A* Z1 p2 q- X( ]# W
      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”& r( R: k4 _9 z7 ^7 j
$ i- f- R3 H" M' T( |! |

8 z# E" Z$ _5 L) A0 ?8 [. L& N$ x) S% t: r+ d
. B) r3 P5 t. Y. l. j
# X: ]( s; a- s1 O+ n7 y
php测试无效/ d* T4 u% k* M
asp/aspx测试成功:. H% A$ h4 N! _- x2 F0 g/ J$ y+ Q1 l
来到/FCKeditor/editor/filemanager/connectors/test.html9 w+ A: ?# x( t& U0 U
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt6 C4 ?* k- v% K: q! f
2 ^; w  d- W6 D
burpsuite上传包并修改,repeater8 S$ W7 Q( H* d8 s, _5 t
名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp
4 L9 T0 U8 \* i+ x* p* F! Z. d! P, m+ y2 Q; F+ x
如图,webshell为:http://localhost/userfiles/file/asd(1).asp  ]6 i0 E  x, h% j: H

  Y+ b" D- P2 N+ T$ v2 e! e8 [
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表