exploiut-db:

FCKEditor ASP Version 2.6.8 File Upload Protection Bypass

- Title: FCKEditor 2.6.8 ASP Version File Upload Protection bypass
- Credit goes to: Mostafa Azizi, Soroush Dalili
- Link:http://sourceforge.net/projects/fckeditor/files/FCKeditor/
- Description:
There is no validation on the extensions when FCKEditor 2.6.8 ASP version is
dealing with the duplicate files. As a result, it is possible to bypass
the protection and upload a file with any extension.
- Reference: http://soroush.secproject.com/blog/2012/11/file-in-the-hole/
- Solution: Please check the provided reference or the vendor website.
- PoC:http://www.youtube.com/v/1VpxlJ5jLO8?version=3&hl=en_US&rel=0&vq=hd720
"
Note: Quick patch for FCKEditor 2.6.8 File Upload Bypass:
In “config.asp”, wherever you have:
      ConfigAllowedExtensions.Add    “File”,”Extensions Here”
Change it to:
      ConfigAllowedExtensions.Add    “File”,”^(Extensions Here)$”

 

 

php测试无效
asp/aspx测试成功:
来到/FCKeditor/editor/filemanager/connectors/test.html
因为结合了之前二次上传的漏洞,所以先上传任意内容的文件:asd.asp.txt

burpsuite上传包并修改,repeater
名字改为asd.asp%00txt    然后把%00专为URL编码上传后得到asd(1).asp

如图,webshell为:http://localhost/userfiles/file/asd(1).asp

image

无需翻墙视频


Original Video

源链接

Hacking more

...