Rongsoft Oday bulk to get SHELL-vulnerability warning-the black bar safety net

ID MYHACK58:62200924778
Type myhack58
Reporter 佚名
Modified 2009-09-24T00:00:00


Author: cast

Blog:http://hi. baidu. com/cast_blog/

Then GOOGLE search for keyword: inurl:xinwenxq. asp? biaohao=

Access management address: gonggong/denglu/denglu. asp

First, in the management of the landing page, with a simple'or'='or'can fool the past!

In the verification file:

zhanghao=request("zhanghao") mima=request("mima") quanxian=1 session. timeout=2 3 0

Set rs= Server. CreateObject("ADODB. Recordset") sql="select zhanghao,quanxian from guanli where zhanghao='"& zhanghao&"' and mima='"&mima&"' and zhuangtai='1'" rs. open sql,conn,1,1

Really doubt this program the author is not an idiot, there is no any anti-injection measures!

Into the background after the upload WEBSELL is to let people eat a fright!


Just choose a template, add


Then in


Click Upload, and then directly transfer the Trojan. ASP ASA PHP can

Look at the background of the upload code and found that the program is only responsible for the upload, didn't have any File Validation


Time late, finish this I'm going to sleep!

Bye-bye, I QQ 9 7 6 4 2 2 5 0 hope you can join me to explore the technology!


The next day continued

Today suddenly thought, the Upload File did not filter anything. So, I should be able to directly access.


After upload the display went blank, we directly see the source file you can get the SHELL address.


In addition if you find the Upload file is deleted, you can try to use eWebeditor upload. to.

gonggong/ewebsoft/admin_login. asp

This is the address, admin password default admin

Well.. Nothing of note.