exploiut-db:0 X J7 l% }% A3 ^0 @
! H1 W; E$ a- z( V" ~- W* E% UFCKEditor ASP Version 2.6.8 File Upload Protection Bypass
j, B. B& N% ~) {5 k" W
6 F' x5 a- w* ~% U O! o- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass0 \5 r7 l' \. F, t
- Credit goes to: Mostafa Azizi, Soroush Dalili
, t. b/ U3 `: T, m6 `8 ~- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
& i- B* \; J; j/ G; H- Description:
3 R8 B3 t1 r$ \! YThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
$ M/ v/ M: L9 q" b9 y; K$ Cdealing with the duplicate files. As a result, it is possible to bypass2 }8 Q( U1 Q) k& F- y
the protection and upload a file with any extension.- x/ d. q/ r) w( p4 B @6 R3 p* Y
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/. ?! Z$ g' U p$ ]" R
- Solution: Please check the provided reference or the vendor website.4 y @3 o, W# C3 E6 d7 \8 l
- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720
) h/ S0 Z( J4 D+ L4 B' c"
5 s% \' h, D2 s8 G! ?9 A& cNote: Quick patch for FCKEditor 2.6.8 File Upload Bypass:& s" j; F T4 w! s
In “config.asp”, wherever you have:2 Q, @2 B7 A* I$ m. U% Q
ConfigAllowedExtensions.Add “File”,”Extensions Here”" B& D7 y. b& b
Change it to:
8 K1 j9 F6 [, g$ }$ W ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”- X8 {1 L9 \5 U: f
+ `' O4 t+ I! H
+ X! j" `- M& ?- q" }$ j) d+ Q$ F
; h* \+ P/ r6 f* @
) K% ?" }6 @9 t" V ?- f5 a
2 I% Y1 t' |" p6 Lphp测试无效
& y3 o" F. `) o4 P% \. o3 Z- Zasp/aspx测试成功:& q, o4 K4 P4 Q( F7 [& s
来到/FCKeditor/editor/filemanager/connectors/test.html4 u% b3 `* y) R$ n6 V1 g" d
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
& x, M% D' P P3 m$ Y( @2 O7 O0 B$ [, J* d1 C0 k* f/ D9 b- }! g
burpsuite上传包并修改,repeater
7 L" b0 N6 E8 t4 u1 d名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp) q P$ H i# X& d2 {( ?' q
7 z3 G% a8 a0 a x9 N9 |
如图,webshell为:http://localhost/userfiles/file/asd(1).asp
6 \3 \, |+ t) u: F) C$ M% a- d' G# W0 Y
& S ^. ~/ G* q Q |
发表于 2012-12-10 10:18:50
收藏
支持
反对