eWebEditor: the website of the invisible bomb-vulnerability warning-the black bar safety net

ID MYHACK58:6220055743
Type myhack58
Reporter 佚名
Modified 2005-12-24T00:00:00


Bit webmasters in using the eWebEditor is found, eWebEditor improperly configured so that it will become the site of the Unabomber? First found thisvulnerabilityfrom last year's invasion, in the dead end of the time to find out eWebEditor, so it is simple to get a WebShell in. Subsequently, several times the use of eWebEditor for the invasion of successful experience, that it is remembered should write an article and share it, but also Please the majority of have been used eWebEditor webmasters to quickly check your own site. Otherwise, the next being black is you Oh!

Vulnerabilitythe use of Use eWebEditor get the WebShell of the step is substantially as follows: 1. To determine the site using the eWebEditor is. In General, as long as we note that the post(article)whether the page has a similar make a mark icon, you can generally make a judgment. 2. View the source code, find eWebEditor path. Click on the“view source”to see source code whether there is a similar“<iframe ID='eWebEditor1' src='/edit/ewebeditor. asp? id=content&style=web' frameborder=0 scrolling=no width='5 5 0' HEIGHT='3 5 0'></iframe>”statement. In fact, only discovered the existence of such a statement can only be truly determined this web site using a eWebEditor for. Then note the src=''“”, which is eWebEditor path. 3. Access eWebEditor admin login page. eWebEditor Default Management page to admin_login. asp, and ewebeditor. asp in the same directory. In the above path, for example, we access the address is:<http://www.***. net/edit/admin_login. asp>, and see whether there is a login page. If you do not see this page, the administrator has deleted the admin log-in page, and Oh, so what, go Ah, another place to try. In General, however, I rarely see which administrator deleted this page, try the default of username: admin, password: admin888 it. How? Success it not the default account please see below) is! 4. Increase the Upload File Type. Click on“style Manager”, choose the list in the bottom of a certain style“settings, why to choose in the list under style? Because eWebEditor comes with the style is not allowed to modify, of course, you can also copy a new style to set.

Then in the Upload File Types to increase the“asa”type.

5. Upload ASP Trojan, obtain the WebShell on. Next, the ASP Trojan of the extension modifications to the asa, you can simply upload your ASP Trojan. Don't ask me how to upload Ah, see the “preview”? Click on“preview”, and then select the“Insert other file”button.

Vulnerabilityprinciples of Vulnerabilityusing the principle is simple, look at the Upload. asp file: Any case are not allowed to upload asp script file sAllowExt = Replace(the UCase(sAllowExt), "ASP", "") Because eWebEditor only filter. ASP file. Remember the first time I use eWebEditor In Wonder: since the author already know the asp file need to be filtered, why is it different when filtered asa, cer, etc. files? Perhaps that is thefreethe user is not responsible of the performance!

Advanced applications eWebEditorvulnerabilityto use there are some tips: 1. Use the default user name and password can not log in. Please try directly downloading the db directory of ewebeditor. mdb file, username and password in the eWebEditor_System table, after md5 encryption, if you can not download or can crack, that's when their luck is bad. 2. Plus the asa type found or unable to upload. Should webmasters understand the point of the code, and modify the Upload. asp file, but does not matter, in accordance with the ordinary habit of thinking, often directly in the sAllowExt = Replace(the UCase(sAllowExt), "ASP", "")sentence on the Modify, I saw a webmaster is so modified: sAllowExt = Replace(Replace(Replace(Replace(Replace(the UCase(sAllowExt), "ASP", ""), "CER", ""), "ASA", ""), "CDX", ""), "HTR", "") 猛一看 what are filtered, but we as long as the upload type to increase the“aaspsp”, you can directly upload the asp file. Oh, isn't it a genius idea?“aaspsp”filter“asp”after the character, but turned into a“asp”is! By the way tell you a secret, actuallymoving webForum 7. 0 sp2 may also use a similar method to bypass the extension filter. 3. Upload the asp file, but found that the directory did not run the script permissions. Oh, what a good stupid Ah, the upload type can be changed, the upload path is not can also modify? A closer look at Figure four. 4. Have used the 2 point method, however, the asp types were not uploaded. It seems the webmaster is certainly one of the write asp master, but we are the last to provoke against him: see Figure III in the“remote type”? eWebEditor can be set toautoto save the remote file type, we can join the asp type. But how to get the remote access to the asp files can be in source code form to save? Methods are many, the most simple method is the IIS in the“application mappings”in the“asp”deleted.

PostScript According to their own experience, almost as long as the can into eWebEditor admin, basically you can get a WebShell in. On Google search“ewebeditor. asp? id=”be able to see up to ten more pages of related information, I generally spot check a few of them and found the success rate is about 5 0 per cent. Also good, right? oblg 2.52 version of the previous version is also using the eWebEditor, you can go search a few to practice your hand. Awsome is eWebEditor official website and in the Help file simply does not have this aspect of the safety tips. Also, I found the official test system does not exist is similar to thevulnerability, it seems not that they don't know, but did not put thefreeto usernetworkSafety heart!