Wodig4. 1. 3 Access the free version(UTF-8)upload vulnerability-vulnerability warning-the black bar safety net

2010-02-01T00:00:00
ID MYHACK58:62201026117
Type myhack58
Reporter 佚名
Modified 2010-02-01T00:00:00

Description

1, The upload/upload_image. asp, Mutiupload_image. asp. From the cookie to obtain the userid and put in the session, as the path. ASP/Visual Basic code

1. loadsrc="/UploadFile/"&Request. Cookies("UserID")&"/" 'if the website is not put in with the directory, please/UploadFile before adding you to store the directory name, such as put in wodig folder, just prepend/wodig attention to the front to have/ 2. Session("uppath")=loadsrc

2, The upload/upfile_image. asp, mutiUpfile_image. asp Upload File made in the session path, as the path of the uploaded file. ASP/Visual Basic code

1. filepath = Session("uppath") 'properties,before Upload file path Okay j8hacker Server done a writable directory not perform the configuration, escaped, upload the shell is not executed, there is no into hack guestbook to.

Then search for this vulnerability, as if not being burst through, and that perhaps is 0day.

In the official under the latest version, and sure enough the same the presence of the vulnerability. And 2 upload files are using this way there are loopholes in.

Game this now has burst 2 0day, are directly take the shell.

Vulnerability details use as follows:

----------------------------------------------------------

Came

http://www.hacknote.com/upload/upload_image.asp?formname=form&ImgSrc=src_img_2&editname=src_img

Page, modify the cookie to the UserId field value is hacknote. asp

Refresh the page make sure to brush it out, in order to allow userid to write session

Upload a shell, the shell to be renamed as a gif file.

After uploading, see source file, find path to

uploadfile/hacknote.asp/sXXXXXXXXXXX.gif

PS: this article of attractive places is to use cookies to control the Upload Directory. in. So you find a 0day when note.