Osmotic pre-Flash to get shell shortcut/Ewebeditor/ASP/ASPX/PHP the version of vulnerability-vulnerability warning-the black bar safety net

2008-11-17T00:00:00
ID MYHACK58:62200821109
Type myhack58
Reporter 佚名
Modified 2008-11-17T00:00:00

Description

Recent thinking from the new writing blog, I always take someone else's stuff posted Today in the blog on yourself to write something, nothing technical content, even if a summary. Hope the newbies some help, the cattle people to the table to laugh at me, huh?

ewebeditor, believe play the Black calf and the bull were already very familiar with, and use is also quite skilled, right? In fact, this was also don't want to write, think of With he took then stops, without leaving a memorial or not,:)

First of all: to period official introduction

eWebEditorTM? Online HTML editor! eWebEditor is browser-based, WYSIWYG online HTML editor. She was able to achieve on the page many desktop editing software such as: Word the powerful visual editing capabilities. WEB developers can use her to the traditional multi line text input box<TEXTAREA>replace visual rich text input box, so end users can visualize the release of HTML format web page content. eWebEditor! Has basically become a website content management to publish an essential tool!

If interested go to the official understand the details: http://www.ewebeditor.net/

Be the first to say focus it, this editor according to the script the main points are 3 versions, ASP/ASPX/PHP/ each version can be utilized

ASP Edition:

This version actually personally feel is the greatest impact, the most used one, the early a lot of asp station with this, Of course, now is also a lot of presence.

How to use? Generally use the default background URL is the default:

www.xxx.com/admin/ewebeditor/login_admin.asp

Similar

www.xxx.com/ewebeditor/login_admin.asp

www.xxx.com/admin/eweb/login_admin.asp

www.xxx.com/admin/editor/login_admin.asp

And account and password also basic is the default: admin admin

For to find this path there is a simple method, that is, in his station on the news or other sections for pictures, see pictures of the URL is also can be found, do not understand their own try will know

And if the default account and password is modified, we can download his database, and then the local crack MD5.

Default database:

.../db/ewebeditor. mdb or .../db/ewebeditor. asp

General download after the database is open view on it, and then the background landing, new styles and... Upload ASA horse is...

Some stations database is set read-only attribute, so that the station you are unable to add new style, so the station you can see the other database in the style of the setting, generally most of the time is to allow people to get through, and obviously the asa in there... Oh, so then you can directly construct a call to this style of connection to upload shell

Such as found in the database in a style 1 2 3 his set is that you can upload the asa while

Then you can do this call:

http://www.xxx.com/eWeb/eWebEditor.asp?id=contentCN&style=1 2 3

So that you can upload directly, then at the point“edit”you will find the shell's path.

In fact, this vulnerability is mainly the upload. asp filter is not strict result of the new version should have fixed, specific affected versions, I didn't statistics too

Also in the publication of another ewebeditor vulnerability

Vulnerability file:Admin_Private. asp Vulnerability statement:

<%

If Session("eWebEditor_User") = "" Then Response. Redirect "admin_login. asp" Response. End End If

Only the judgment of the session, did not determine the cookies and path verification problem. Exploit: Create a new mrchen. asp reads as follows: <%Session("eWebEditor_User") = "1 1 1 1 1 1 1 1"%> Access mrchen. asp, and then access the backend of any file, for example:Admin_Default. asp

This shell method is simple, and not described in detail, and do not understand can contact me qq: 8 1 7 5 2 2 9

ASPX version:

Affected files: eWebEditorNet/upload. aspx

Use method: add a good local cer Shell file. In the browser LAN Controller input javascript:lbtnUpload. click();you can get the shell,in particular we try, don't understand contact me or leave a message

PHP version:

Since the PHP script special nature of the default permissions, this is not advertised too much.

Of course, the simple, the default background, the default account password: admin admin can still be used

Only this one does not count the vulnerability the vulnerability can also be directly scored many server, and Oh, the many direct system privileges

shell in a direct net user xxx xxx /add are possible。。。。

Well now 2 a.m. and a half, but also sleepy, think of these just write it, after having wanted to write in the Supplement, also hope to see the Friends, the cattle people a lot of pointing, a lot of supplements, Oh, it's nothing technical content of it!

Note:after reading this article friends don't find me to ask me how to find these vulnerabilities in the Server, this I will not answer you, if it is a technical problem, I will put my know tell you otherwise herein, nothing technical content, if I have to reprint the words of hope leave a copyright, Thank you.