exploiut-db:
( |* S6 @. X @, u( Z% m7 X' C; H, N4 r7 A6 @% X( K$ r9 t+ W
FCKEditor ASP Version 2.6.8 File Upload Protection Bypass
; D3 L3 y5 C7 T- a, t0 b: e2 d
& v- q' ^0 _9 O+ L- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
. W2 Z) x& ?& J5 E! y- Credit goes to: Mostafa Azizi, Soroush Dalili
2 o: j5 s7 X1 p. Z- d, C- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
8 Z' R2 j( e" `9 M" |- Description:
8 g( B0 |8 c U3 _$ iThere is no validation on the extensions when FCKEditor 2.6.8 ASP version is
6 \6 Y: v0 P! ^& _dealing with the duplicate files. As a result, it is possible to bypass/ c) u w9 l7 O$ U5 N
the protection and upload a file with any extension.
. H0 Z4 ^$ @1 v# B- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/1 i+ E( ]1 X. X, }8 I
- Solution: Please check the provided reference or the vendor website.
7 a1 G% j5 X; f* [+ B' e- PoC:http://www.youtube.com/v/1VpxlJ5 ... ;rel=0&vq=hd720: G$ `' L$ j9 E4 F" ^% l) ^8 {
"7 `$ K. k0 N0 h
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:: k& \9 _0 O8 o: ~' F4 y) Z
In “config.asp”, wherever you have:( ~! L0 ^ U3 O& X) h# R
ConfigAllowedExtensions.Add “File”,”Extensions Here”3 c1 u* e9 C) ]. s! B1 }
Change it to:
# D2 ]* ~6 u+ a ConfigAllowedExtensions.Add “File”,”^(Extensions Here)$”* A7 x% _6 s2 p) R
- x% C8 T, G9 U4 x) L
9 p% ?/ g! `8 f) ~# e( Y. z0 D
, p/ j* j& L& ^7 @3 W, c: q9 C 5 p" ~9 p% r# R9 K& ?
8 ^. N! ?$ c6 i- S7 k
php测试无效+ Q- P6 c9 l5 p q& G4 J3 ^6 G( H
asp/aspx测试成功:
" u% p4 V3 w! }3 p, f# h( A9 ?来到/FCKeditor/editor/filemanager/connectors/test.html- L$ {! {. y$ v
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt
1 [5 E/ G: g7 g; M% s% V9 z
% D( a/ l4 J4 i; s" ~6 aburpsuite上传包并修改,repeater
+ ~& ^% n7 |7 _ |名字改为asd.asp%00txt 然后把%00专为URL编码上传后得到asd(1).asp
' T3 `" c5 t! P6 j- N3 d! {1 K$ A. U7 V' W
如图,webshell为:http://localhost/userfiles/file/asd(1).asp$ Y6 O% u. _* Y y* J9 f
: i$ _+ z: P7 N. C; s7 G$ h
|
发表于 2012-12-10 10:18:50
收藏
支持
反对