XXX shop management system 9. 0------0DOY-vulnerability warning-the black bar safety net

ID MYHACK58:62200925537
Type myhack58
Reporter 佚名
Modified 2009-12-08T00:00:00



Since the local did not install IIS official not this cms to the Internet for a few this program the site test..results are exciting..

The other I didn't to get to the cms the first is to see it combined with something to upload like..such as fckeditor ewebeditor

upload. asp.....

This app has a fckeditor streamline many..but also left some can take things../asp/upload. asp this file..

Directly see the use of it..

Test url:http://www. xxx. com/

fckeditor directory in the admin directory under..that is<>

Directly find the connectors/asp/connector. Asp is definitely not enough..well earlier vulnerability..haven't try..skip..

We can locally construct the call the upload. asp to upload files..

Use code:

<form id="frmUpload" enctype="multipart/form-data" action="<>" method="post"> Upload a new file:<br> <input type="file" name="NewFile" size="5 0"><br> <input id="btnUpload" type="submit" value="Upload"> </form>

As shown:


我 首先 传 了 个 名称 为 hx.jpg 的 图片 上去 .. 路径 为 images/uploadfile/2009120114364991.jpg rename..


What should I do?? Dizzy..I then spread a hx. asp;hx. jpg shown:


Actually succeeded..Oh..and then called hello! Pass the word shown:


Then he passed a pony up there are shown:


Finally a sense of:about the fckeditor and some version will put " . "(Points)turn into a" _ " to bypass the method is:in the Local the horse is named hx. asp;jpg

jpg front of had a remove it you can easily bypass..the test is successful over yxbbs vulnerability was noted.

There can be a secondary upload bypass.... OK