By: Men_Si
Because IIS is not officially installed locally, it is not the cms .. so I went to the Internet to find a few websites to test the program... the results are exciting ..
I didn't see anything else. The first thing I got to cms was to see what it combined with upload and so on. For example, fckeditor ewebeditor
Upload. asp .....
This set of programs has a fckeditor which is much more streamlined. But there are still some available things.../asp/upload. asp this file ..
Let's take a look at it ..
Test URL: http://www.xxx.com/
The fckeditor directory is under the admin directory... that is, the http://www.xxx.com/admin/fckeditor/.
You cannot directly find connectors/asp/connector. Asp. It's a very early vulnerability. You didn't try it... skip it directly ..
We can construct a local upload... Call upload. asp to upload files ..
Code:
<Form id = "frmUpload" enctype = "multipart/form-data" action = "http://www.xxx.com/admin/fckeditor/editor/filemanager/connectors/asp/upload.asp? Type = File "method =" post ">
Upload a new file: <br>
<Input type = "file" name = "NewFile" size = "50"> <br>
<Input id = "btnUpload" type = "submit" value = "Upload">
</Form>
:
First, I uploaded an image named hx.jpg. The path is images/PreviousFile/2009120114364991.jpg and renamed ..
What should we do ?? Then I passed another hx.asp;hx.jpg file ..:
Actually succeeded! Upload a sentence ..:
Then he passed on another pony and went up to OK ..:
Finally, for some fckeditor versions, "." (point) is converted to "_". The bypass method is to name the horse hx. asp; jpg locally.
A dot in front of jpg can be easily bypassed after it is removed. The test has been successful (some people have pointed out the yxbbs vulnerability)
You can also bypass the second upload... OK