Pageadmin Cms V2.0 Getshell 0day

Black boy in Toast announced the "Pageadmin CMS Getshell oday", and gave a leak

The use of the hole exp. After a dangerous stroll in the virtual machine test, the vulnerability is pageadmin CMS of the second most paid version PAGEADMM CmsV2.0, the latest version pageadmin v2.1 20110927 There is no such vulnerability. The use of loopholes can be directly obtained shell, the harm is still very large.

I. Introduction of the vulnerability

Pageadmin CMS is an enterprise-level website management system integrated with content publishing, articles, products, pictures, recruitment, message, custom model, collection and other functions.

Vulnerability publisher Black boy has given the vulnerability analysis, which is directly quoted here:

This program has a fckeditor, the tragedy is here. However, the program in the upload.aspx inside the authentication authority. Upload <%@ page language= "C #" trace= "false" inherits= "FredCK.FCKeditorV2.Uploader" autoeventwireup= "false" Stylesheettheme= '%> But in connector.aspx this is a section

<% @Page language= "C #" trace= "false" inherits= "FREDCK.FCKEDITORV2.FILEBROWSERCONNECTORFL

Autoeventwireup= "false" stylesheettheme= ... '%> I'm not. NET so I have no idea what he meant by this code, but after testing this code is useless! Can upload any file,.. /.. /any cross-catalog! Uploads can be locally constructed test.html.

My personal understanding is that Pageadmin Cms v2.0 used to FCKeditor there is any file upload vulnerability, harsh and can be customized to upload the file directory.

Ii. exploitation of exploits

To test the vulnerability, I downloaded the source code for the vulnerable Pageadmincms V2.0, V2 the Pageadmin Cms in the virtual machine's Windows system. O installed. The site's access address in the virtual machine.

Here's how to exploit exploits. Pageadmin Cms V2.0 fckeditor Default in the managed directory master, connector.aspx the URL in the virtual machine.

1. Use test.html upload to get shell

Because of any file upload vulnerability in FCKeditor, the shell can be uploaded directly through test.html, but the test.html in the program is deleted. Delete Does not matter, I from other not deleted test.html FCKeditor copied a test.html out, slightly modified under can use. Open test.html with Notepad, search for connector. aspx, and find the connector. The full URL of the ASPX. Save to test. HTML changes, and then opens the test.html with a browser, there will be a security prompt, select "Allow blocked content."

"Connector:" Select ASP., "Current Folder" and "Resource Type" all remain the default, through the "Browse" button to select the shell to upload, here I chose ASPXspy2, click "Upload" after the blank page appears , as if the upload succeeded, point "Get Folders and Files", see the file upload name, in the/upload/fckeditor/file/directory, Access is prompted "Unable to find resources", open Upload\fckeditor directory, There is no file subdirectory, but there is a directory, that is, the current year plus month, in the middle with a connection, open the folder, there is a folder file, open the file folder, an. aspx file is lying there. In the original shell address between FCKeditor and file to add a current year of the folder, after accessing the URL to find the. aspx file, the shell is obtained.

2. Using Exp to get shell

The black kid gives a php-written exploit to exploit exp, which can get the shell directly. Exp code will not be posted out, there are friends who want to contact me.

Save the code as a file pacmsexp.php and put it in the C packing directory of the virtual machine system. Since exp is written in PHP and requires you to install PHP before you can use it, the windoes system of a dangerous roaming virtual machine has already installed PHP v5.3. Open a command prompt and switch to the C packing directory. Enter PHP Pacmsexpplip return to see the usage of exp (PHP installation directory has been added to the environment variable path, so do not enter PHP.) The path where the EXE resides).

The use format of exp is:

PHP pacmsexp.php site Path

Where site is the domain name or IP address of the vulnerable website, path is the directory where the Pageadmin Cms V2.0 resides. Enter PHP pacmsexp.php 127.0.0.1, enter, will see a cursor in Flash, prompt "Exploit Success", and has given the address of the shell is aspx-' sentence trojan, password for 90sec.org, The shell is also obtained with the tool connection.

Pageadmin Cms v2.0 Getshell Oday and the use of the vulnerability two ways to get the shell is done. You can find a Web site that could have this vulnerability by searching for "Poweredbypageadlnin V2.0".

Pageadmin Cms V2.0 Getshell 0day