eWebEditor traverse the directory upload vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201131845
Type myhack58
Reporter 佚名
Modified 2011-09-15T00:00:00


Affected versions of eWebEditor 2.8 free version

This two day nothing idle boring is opened for a long time without the WEB vulnerability scanning tool external to hit certain colleges and universities were injection vulnerability checks! A vulnerability is discovered later discovered two schools play address is the one company to do to start a penetration....

The first to enter the fight is one the same server scoring Station backend! ENTER after the discovery does not upload the web files and editor silly with eWebEditor 2.8 playing the free version and tried the default password ADMIN AMIN888 password incorrect ready want to don't hit the way to hit when the misuse of the account number of the blue break into a password, have scored the go just don't change. try holding play attitude to the Password field also silly play on ADMIN888 didn't think in that, huh! Go in after I see the eWebEditor 2.8 background remember on the network saw an article eWebEditor. asp? dir=id can traverse the directory, so of course I did not use this approach but branch out in style set the bar for the image upload path changed to “../../../”so that you can upward browse the 3 and directory! Of course, similarly, you can also explore on the layer N-1 directories to upload when there are problems limiting the upload function and the file type! Do it yourself think of a small way! In upload files the back door plus two suffixes. Such as: admin. jpg. asa as in asp server in the ASA as silly can be uploaded so it's in the style settings in Riga to the ASA, why not directly applied to ASP? Because the background by default any case are not allowed to upload ASP. After uploading after the discovery of the quasi-clear the entire gone! Oh poor me..but I also added a suffix such as: admin. jpg. php. asa because of the upload time so don't know why after uploading not just the script without the filtering extension only retain the“date and time. ASA”a try not to mention the right to have the results find the website of the server is building the internal network of the so! The other port is fully closed. right now there's nothing with! There is no continued just in the home to remind the next admin! This penetration is over!!