exploiut-db:$ [) I: V) J8 P5 a
1 l: K( {( ^" n, p' W6 m' F& i1 U L
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
# q- L$ z- _/ }" T4 R) e) N, W8 L& d; w
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
; H6 e/ n, e! H% o+ e& B4 T3 d, T4 o- Credit goes to: Mostafa Azizi, Soroush Dalili
( E' Q: x( l5 s8 s' o. r# g- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
9 k3 I5 l- q9 Y5 {8 {: U- Description:
, X( ~# y' s( g2 Y& a9 ^6 RThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is7 Z( A3 Q% n6 G/ R4 G
dealing with the duplicate files. As a result, it is possible to bypass5 } }5 ?% O! H9 r$ C# I
the protection and upload a file with any extension.
6 v, a6 F4 t. r. k- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
' X4 f2 G$ q$ Z8 C- T+ G& O& k- Solution: Please check the provided reference or the vendor website.
$ l0 ]0 N1 \0 m4 I" T' X5 o! w- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd7206 X% o) ]. _* N
"' Y8 W# R* d1 j% I' d$ {0 Q4 S
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:% F5 n- @) R+ T* V }4 P7 {% w3 |
In “config.asp”, wherever you have:9 q" Y0 G% f) |1 {$ p9 u$ z- ?
ConfigAllowedExtensions.Add “File”,”Extensions Here”
, Y* v. S) n9 ~0 c1 @) _5 c6 b: EChange it to:
" N$ @. f7 e- x& D ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”
6 h% f% E/ l p, ]
! x# I4 p& W4 ~3 U4 U 4 l% u" A% h7 G0 L+ w
& r8 v2 N, }/ ? k# i" d4 S
[/ C( Y' A/ C
/ Z* ?$ Q' W% `/ R( m4 N' sphp测试无效0 e/ y! \+ l' @6 b0 L; X5 M
asp/aspx测试成功:
% E* W3 ~ r8 }, F8 I1 g9 J# |. f来到/FCKeditor/editor/filemanager/connectors/test.html3 ~( s% K" M$ n: H
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt5 b3 Q# k# H9 ^$ W- E+ Z
; C/ F) e5 v% r7 O" N( Cburpsuite上传包并修改,repeater8 ~7 V. w: X3 [4 h/ p" S/ m7 Z
名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp* e0 ]4 P( b3 B3 j
- t/ L0 s/ s- l7 Z( L2 H
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
# `8 J |, N& g8 p+ v: T; [+ A
) r* W% q% f. f; |' @& O9 a+ @ |
发表于 2012-12-10 10:18:50
收藏
支持
反对