ESHOP network operators treasure Mall 1.0 GetWebshell-vulnerability warning-the black bar safety net

ID MYHACK58:62201233730
Type myhack58
Reporter 佚名
Modified 2012-04-24T00:00:00


A day Wake up late, get up found on the ground a flyer.

See is an online shop.

So want to see with what program, find out where to see the html comments,css comments, and file name. Find is ESHOP network operators treasure Mall.

google under exploits, found eshop exploits, test the next, not. But still the error message. The results found that there are other online system called ESHOP that.

A two-day, and then remembered again to test the bet into it with a filter code. Under the source code see the next. The results did not filter the select keyword.

The front Desk search at the prices from where to find a digital type of the injection point.

Combined with the code found in the admin table name and column name. Then you can burst. and (select top 1 admin from admin)>0

// First admin login /p_list. aspx? keyword=%&maxPrice=0&minPrice=0 and (select top 1 password from admin)>0

//The password. Standard md5, we know.

Placed injection of local also no Filter update. So the password anti not check out, you can update the Oh. There is little, this filtering code only filter the get way.

Into the background later. Products system-on products content-list pictures where you can directly pass the aspx file. On the path, directly aspx cannot show the path, so that the first direct transfer jpg of the path to engage the hand, then spread aspx on KO.

Kick call it a day.

PS:for monitoring only, not sabotage.