exploiut-db:4 I+ V+ n" Z" H
2 U' o/ _7 Q% T* Q! j
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
2 k j' S8 l, `) u% G) v9 _8 Y, p: \: N6 s" T1 b: _
- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass* I, K& s6 i" k+ o+ K2 m; V* v- L+ V
- Credit goes to: Mostafa Azizi, Soroush Dalili5 x# N3 k# v! W7 f) B
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
' F' s1 Y* M9 t- ^7 V) @- Description:9 e+ v& h. ]1 J" Z% I
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
4 ~8 U7 f/ D! G- fdealing with the duplicate files. As a result, it is possible to bypass
+ k- d6 l1 r" P; Othe protection and upload a file with any extension.
2 `/ c9 x2 N- s0 n- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/) Z7 G9 ]% r) P. V" c6 p7 l
- Solution: Please check the provided reference or the vendor website.
$ o |! \% ~; y3 J4 {7 [+ t ~# {- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720' O R. R) H4 u# ^+ k
") ]+ I" J0 I; U
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:6 h4 S) x( S7 ]- o
In “config.asp”, wherever you have:
4 x3 `/ y" _3 x ConfigAllowedExtensions.Add “File”,”Extensions Here”/ I4 O, b. P0 E# F8 w. N
Change it to:9 k+ h1 s% y9 g: [! U( Y! l
ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”* A8 b7 t( _8 [
. O4 X8 S5 Y! T |
9 a3 d" M- m: ?) R
+ p0 h# \1 F# w! a : m( Y( g: A; l
/ o9 J' z- y1 R1 `php测试无效" b+ @" I5 @2 q2 B E; o
asp/aspx测试成功:
, z: O. H. a: \5 l0 ~来到/FCKeditor/editor/filemanager/connectors/test.html
) t* T/ P; w, e( Q; t因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
- ^+ I' N3 r6 k$ ]8 S2 H) U, n6 _
9 l) ~+ U# s0 Y1 i5 qburpsuite上传包并修改,repeater
5 k2 `7 _! T3 ?/ G8 y* @# a6 V3 U名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
3 `6 w8 d( Z" {
( O6 J/ P: m; t/ U: {1 D如图,webshell为:http://localhost/userfiles/file/asd(1).asp) J+ _3 `* ~) [7 @. M# @) Y
( w: q3 V6 e2 z! q$ A0 K
|
发表于 2012-12-10 10:18:50
收藏
支持
反对