eWebEditorNet vulnerability demo[0Day]-vulnerability warning-the black bar safety net

ID MYHACK58:62200819172
Type myhack58
Reporter 佚名
Modified 2008-05-27T00:00:00


Reproduced please retain the copyright information PopSky 'S Blog <http://www.popsky.org/> } When the access eWebEditorNet/Upload. aspx,you can see only browse,missing the Upload button.... ! But that's OK,in the choose the good we want to upload the Trojan later,directly in IE which input javascript:lbtnUpload. click();return ! The upload is complete,see return the original code...[right mouse button to view the source document] parent. UploadError('not allowed to upload this type of file is it!!!!'); It seems the upload failed...do a filter,limiting the ASPX file upload..... Continue back to the front,which we address later hit a space, try ! parent. UploadSavedFinish('2 0 0 8 1 2 3 2 1 1 5 1 2 6 3 6 6. aspx ','jackie. aspx ');history. back(); Hey Hey.... To bypass the limit...... The success of the upload. ASPX file.... File default upload after the saved address is eWebEditorNet/UploadFile/now see if the upload is successful..... ! Next,don't ask again what else can I do,I don't know...... Summary: 1> javascript:lbtnUpload. click(); the primary language for javascrypt,to the current page lbtnUpload send a Click event...in fact it is equivalent to our point the Submit button,the same.... 2> The script inside restrictions. ASPX as the suffix of the file not allowed to upload,and then the address bar after a space(actually plus other symbols also,for example '),the script gets the file name for the'aspx ',so if xxx ='aspx' then this type of judgment statement to do so..... The repair method is not allowed to only allowed to........