找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2353|回复: 0
打印 上一主题 下一主题

最新FCKEditor ASP上传绕过漏洞

[复制链接]
跳转到指定楼层
楼主
发表于 2012-12-10 10:18:50 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
exploiut-db:6 j+ ~1 k3 f# p! M! H5 z

/ y: V0 o. j% M1 h! RFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
( ~2 Z) W. ]3 n4 R
- G- U7 J8 q# n- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass8 I/ H7 j- k  a) ^: f1 V- _4 d
- Credit goes to: Mostafa Azizi, Soroush Dalili8 C) W/ E# W3 k0 w5 N6 Z
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/' @/ ]; _$ D, N' C7 f
- Description:
: l0 I8 }' ~% ]) l0 f" D" uThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
' _) N& c. q8 b+ E2 ^. x. v! Zdealing with the duplicate files. As a result, it is possible to bypass
8 y) J0 b! \& {# C6 x8 dthe protection and upload a file with any extension.
" k( d0 i' i% V: C3 A- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/* `' c8 K4 r, J) o% o
- Solution: Please check the provided reference or the vendor website.# P2 Q/ m+ }, V4 r" l4 p! Z& l
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
6 a" a1 ~- [" r1 n"
; I" \. D" R' h/ o2 ]Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
! r% R4 @1 i1 QIn “config.asp”, wherever you have:, a2 ]2 Q6 [8 L
      ConfigAllowedExtensions.Add    “File”,”Extensions Here”% M4 \$ x& l" Z' [9 s4 ?% M
Change it to:
  d+ V* Y5 x+ _, P  L% J+ U      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”
) j. Z6 \: B* W2 W! d
5 G6 r! [0 f; J( _( F0 G" q 6 O* K  a( O. z( c& X6 j5 M

3 Y# N( r( U* n' ~0 `% m  K
. x" p; c" `- |8 F3 ?3 n% N/ s
! u$ E. v" R  h$ _: y$ b. j. ?5 Sphp测试无效
, r. {" {5 J8 D* X6 W; o5 T% Jasp/aspx测试成功:
; Y$ m0 u$ i0 W( J来到/FCKeditor/editor/filemanager/connectors/test.html
6 d9 H+ d$ m# r. Y( `: ^+ r' y因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt0 {$ k- m! l2 a5 q$ o* Y
0 O0 }# G; K+ g7 I5 v' c! ^: p9 V, ]
burpsuite上传包并修改,repeater  o9 P/ I3 @0 Z5 ]
名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp
9 j  D; J, }" X1 a9 i8 a0 {
2 q' C7 J' ]9 x" ]  c6 V- R9 R如图,webshell为:http://localhost/userfiles/file/asd(1).asp. `) ?) a/ F% c( T6 Q, \

. j/ E  U6 b: A) S" g# C% k$ E
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表