php version ewebeditor 3.8. vulnerability-vulnerability warning-the black bar safety net

2009-09-19T00:00:00
ID MYHACK58:62200924705
Type myhack58
Reporter 佚名
Modified 2009-09-19T00:00:00

Description

php 版本 后台 是 调用 ../ewebeditor/admin/config.php,we went to look at the source code will know, here I talk about using the method:

1 First of course to find a landing back,默认 是 ../eWebEditor/admin/login.php,into the background after casually enter a user and password,of course,will prompt an error, must be an error, then this time you empty the browser's url,and enter javascript:alert(document. cookie=”adminuser=”+escape(”admin”));javascript:alert(document. cookie=”adminpass=”+escape(”admin”));javascript:alert(document. cookie="admindj="+escape("1"));After the third carriage return, 2 then enter the normal case in order to access the file../ewebeditor/admin/default. php can into the background.

3 behind the use of and asp as,new styles to modify the upload,ok

Test asp 2.8 version,turned out as much as you can,cool,it seems the asp version should be able to pass to kill(only tested 2. 8,seems 2. 8 is the highest version) aspx version../ewebeditor/admin/upload. aspx Tim good local of cer of the Shell file,in the browser LAN Controller input javascript:lbtnUpload. click();you can get the shell jsp upload vulnerability, and that out of the N long,since there is no Upload button,Select to upload the shell,and return it Haha,later as long as ewebeditor background can find the words,you can pass to kill, so this vulnerability is still relatively cool, recommended collection