MSN Editor vulnerability-vulnerability warning-the black bar safety net

2009-11-28T00:00:00
ID MYHACK58:62200925432
Type myhack58
Reporter 佚名
Modified 2009-11-28T00:00:00

Description

This editor is quite rudimentary, and in the afternoon take the stand when the come across a There is no database backup, there's nothing you can directly Upload a webshell place, shabby to only one editor interface.

! [Size: 20.25 K Size: 5 0 0 x 3 6 8 Viewed: 2 times Click to open a new window to browse the full map](/Article/UploadPic/2009-11/2009112824149790.jpg)

Simple to say under the use of the method. Click on the image upload will appear after the upload page, the address is

http://www.xxx.cn/admin/uploadPic.asp?language=&editImageNum=0&editRemNum=

With ordinary picture after uploading, the address is <http://www.xxx.cn/news/uppic/41513102009204012_1.gif>

Remember this time the path

Click on the picture to upload, this time the address becomes a http://www.xxx.cn/news/admin/uploadPic.asp?language=&editImageNum=1&editRemNum=4 1 5 1 3 1 0 2 0 0 9 2 0 4 0 1 2

Obviously. The picture of the address is based on the RemNum behind the number generation.

The use is very simple with IIS parsing vulnerability, the RemNum later modify the data for the 1. asp;4 1 5 1 3 1 0 2 0 0 9 2 0 4 0 1 2

Into the following this address

http://www.xxx.cn/admin/uploadPic.asp?language=&editImageNum=0&editRemNum=1. asp;4 1 5 1 3 1 0 2 0 0 9 2 0 4 0 1 2

Then in the browser open

Then select your script Trojan upload

Will be returned to the following address uppic/1. asp;41513102009204012_2.gif

And then directly open is our pony address!

Plus the patch method!

by:think you're blocking stopper to break the wall

Key code:

if editRemNum<>"" then remNum = editRemNum else Randomize remNum = Int((9 9 9 - 1 + 1) * Rnd + 1)&day(date)&month(date)&year(date)&hour(time)&minute(time)&second(time) end if remFileName = remNum&"_"&(editImageNum+1)&". gif" end if

Hey, first does not explain.

Remove from definitions section, leaving only then the parameters can be.

Reservation code:

Randomize remNum = Int((9 9 9 - 1 + 1) * Rnd + 1)&day(date)&month(date)&year(date)&hour(time)&minute(time)&second(time) end if remFileName = remNum&"_"&(editImageNum+1)&". gif"

Source:<http://www.idying.cn/>