{"type": "myhack58", "published": "2008-11-17T00:00:00", "reporter": "\u4f5a\u540d", "bulletinFamily": "info", "id": "MYHACK58:62200821109", "cvss": {"vector": "NONE", "score": 0.0}, "enchantments": {"score": {"value": 1.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "openvas", "idList": ["OPENVAS:20245"]}]}, "exploitation": null, "vulnersScore": 1.0}, "edition": 1, "viewCount": 1, "cvelist": [], "references": [], "lastseen": "2016-11-14T18:17:03", "href": "http://www.myhack58.com/Article/html/3/62/2008/21109.htm", "modified": "2008-11-17T00:00:00", "title": "Osmotic pre-Flash to get shell shortcut/Ewebeditor/ASP/ASPX/PHP the version of vulnerability-vulnerability warning-the black bar safety net", "description": "Recent thinking from the new writing blog, I always take someone else's stuff posted \nToday in the blog on yourself to write something, nothing technical content, even if a summary. \nHope the newbies some help, the cattle people to the table to laugh at me, huh? \n\newebeditor, believe play the Black calf and the bull were already very familiar with, and use is also quite skilled, right? In fact, this was also don't want to write, think of With he took then stops, without leaving a memorial or not,\uff1a\uff09 \n\nFirst of all: to period official introduction \n\neWebEditorTM? Online HTML editor! \neWebEditor is browser-based, WYSIWYG online HTML editor. She was able to achieve on the page many desktop editing software such as: Word the powerful visual editing capabilities. WEB developers can use her to the traditional multi line text input box<TEXTAREA>replace visual rich text input box, so end users can visualize the release of HTML format web page content. eWebEditor! Has basically become a website content management to publish an essential tool! \n\nIf interested go to the official understand the details: http://www.ewebeditor.net/ \n\nBe the first to say focus it, this editor according to the script the main points are 3 versions, ASP/ASPX/PHP/ each version can be utilized \n\nASP Edition: \n\nThis version actually personally feel is the greatest impact, the most used one, the early a lot of asp station with this, Of course, now is also a lot of presence. \n\nHow to use? Generally use the default background URL is the default: \n\nwww.xxx.com/admin/ewebeditor/login_admin.asp \n\nSimilar \n\nwww.xxx.com/ewebeditor/login_admin.asp \n\nwww.xxx.com/admin/eweb/login_admin.asp \n\nwww.xxx.com/admin/editor/login_admin.asp \n\nAnd account and password also basic is the default: admin admin \n\nFor to find this path there is a simple method, that is, in his station on the news or other sections for pictures, see pictures of the URL is also can be found, do not understand their own try will know \n\nAnd if the default account and password is modified, we can download his database, and then the local crack MD5. \n\nDefault database: \n\n.../db/ewebeditor. mdb or .../db/ewebeditor. asp \n\nGeneral download after the database is open view on it, and then the background landing, new styles and... Upload ASA horse is... \n\nSome stations database is set read-only attribute, so that the station you are unable to add new style, so the station you can see the other database in the style of the setting, generally most of the time is to allow people to get through, and obviously the asa in there... Oh, so then you can directly construct a call to this style of connection to upload shell \n\nSuch as found in the database in a style 1 2 3 his set is that you can upload the asa while \n\nThen you can do this call: \n\nhttp://www.xxx.com/eWeb/eWebEditor.asp?id=contentCN&style=1 2 3 \n\nSo that you can upload directly, then at the point\u201cedit\u201dyou will find the shell's path. \n\nIn fact, this vulnerability is mainly the upload. asp filter is not strict result of the new version should have fixed, specific affected versions, I didn't statistics too \n\nAlso in the publication of another ewebeditor vulnerability \n\nVulnerability file:Admin_Private. asp \nVulnerability statement: \n\n<% \n\nIf Session(\"eWebEditor_User\") = \"\" Then \nResponse. Redirect \"admin_login. asp\" \nResponse. End \nEnd If \n\nOnly the judgment of the session, did not determine the cookies and path verification problem. \nExploit: \nCreate a new mrchen. asp reads as follows: \n<%Session(\"eWebEditor_User\") = \"1 1 1 1 1 1 1 1\"%> \nAccess mrchen. asp, and then access the backend of any file, for example:Admin_Default. asp \n\nThis shell method is simple, and not described in detail, and do not understand can contact me qq: 8 1 7 5 2 2 9 \n\nASPX version: \n\nAffected files: eWebEditorNet/upload. aspx \n\nUse method: add a good local cer Shell file. In the browser LAN Controller input javascript:lbtnUpload. click();you can get the shell,in particular we try, don't understand contact me or leave a message \n\nPHP version: \n\nSince the PHP script special nature of the default permissions, this is not advertised too much. \n\nOf course, the simple, the default background, the default account password: admin admin can still be used \n\nOnly this one does not count the vulnerability the vulnerability can also be directly scored many server, and Oh, the many direct system privileges \n\nshell in a direct net user xxx xxx /add are possible\u3002\u3002\u3002\u3002 \n\nWell now 2 a.m. and a half, but also sleepy, think of these just write it, after having wanted to write in the Supplement, also hope to see the Friends, the cattle people a lot of pointing, a lot of supplements, Oh, it's nothing technical content of it! \n\nNote:after reading this article friends don't find me to ask me how to find these vulnerabilities in the Server, this I will not answer you, if it is a technical problem, I will put my know tell you otherwise herein, nothing technical content, if I have to reprint the words of hope leave a copyright, Thank you.\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{}