Ewebeditor: an invisible bomb in a website

When using ewebeditor, does the webmaster find that improper ewebeditor configuration will make it an invisible bomb in the website? The first time this vulnerability was discovered, it was due to an intrusion last year. When it was exhausted, ewebeditor was discovered, so it was easy to get webshell. After that, I had several successful intrusions using ewebeditor. This reminds me that I should write an article. Article Share with you, and ask the webeditor webmasters to check their websites. Otherwise, the next hacked one is you!

Vulnerability Exploitation
The steps for obtaining webshell using ewebeditor are as follows:
1. confirm that the website uses ewebeditor. In general, we only need to pay attention to whether there is a mark icon on the page of the post (Article), so we can make a general judgment.
2. ViewSource codeTo find the path of the ewebeditor. Click "View Source ".Code"To see if the source code is similar to" <IFRAME id = 'ewebeditor1 'src = '/edit/ewebeditor. asp? Id = content & Style = web 'frameborder = 0 scrolling = no width = '000000' Height = '000000'> </iframe> "statement. In fact, only when such a statement is found can the website use ewebeditor. Write down the "***" in src = '***', which is the path of the ewebeditor.
3. Access the management logon page of ewebeditor. The default Management page of ewebeditor is admin_login.asp, which is in the same directory as ewebeditor. asp. The preceding path is used as an example. The access address is http: // www. ***. Net/edit/admin_login.asp to check whether the logon page is displayed.
If you do not see such a page, it means that the Administrator has deleted the management logon page. Oh, what are you waiting for? Leave and try another place. But in general, I seldom see which administrator has deleted this page. Try the default username: Admin and password: admin888. How is it? Succeeded (not the default account, please refer to the following article )!
4. added the upload file type. Click "style management" and select "Settings" for a style under the list. Why do you want to select the style under the list? Because the style provided by ewebeditor cannot be modified, you can copy a new style to set it.

Then add the "asa" type to the file type to be uploaded.

5. Upload the ASP Trojan to obtain the webshell. Next, modify the extension of ASP Trojan to Asa to upload your asp Trojan. Don't ask me how to upload it. Do you see "preview? Click Preview and select insert other files.

Vulnerability Principle
The vulnerability exploitation principle is very simple. See the upload. asp file:
ASP script files cannot be uploaded under any circumstances
Sallowext = Replace (ucase (sallowext), "asp ","")
Because ewebeditor only filters ASP files. I remember the first time I used ewebeditor, I was wondering: since the author already knows that ASP files need to be filtered out, why not filter files such as ASA and CER at the same time? Maybe this is not responsible for free users!

advanced application
there are some other tips for exploiting the ewebeditor vulnerability:
1. You cannot log on using the default user name and password.
Please download the ewebeditor In the DB directory. MDB files, usernames, and passwords are stored in the ewebeditor_system table and are encrypted using MD5 encryption. If the files cannot be downloaded or cracked, you may be unlucky.
2. After the ASA type is added, the upload fails.
the webmaster understands the code and modifies the upload. ASP files, but it does not matter. According to the habits of ordinary people, they are often directly modified in the sentence sallowext = Replace (ucase (sallowext), "asp, I have seen a webmaster modify it like this:
sallowext = Replace (replace (ucase (sallowext), "asp ",""), "CER", ""), "asa", ""), "CDX", ""), "HTR ","")
you can simply upload ASP files by adding "aaspsp" to the upload type. Oh, is it a genius idea? After "aaspsp" is filtered out, it becomes "asp "! By the way, I would like to tell you a secret. In fact, the mobile network forum 7.0 SP2 can also bypass filtering extensions using similar methods.
3. After the ASP file is uploaded, the directory does not have the permission to run the script.
oh, it's really stupid. You can change the upload type. Can you change the upload path? Take a closer look at figure 4.
4. The method in 2nd is used, but the ASP type still cannot be uploaded.
it seems that the webmaster must be a master of ASP writing, but we still have to deal with him in the last step: do we see the "remote type" in Figure 3? The ewebeditor can set the Automatic Storage remote file type. We can add the ASP type. But how can we make the ASP files remotely accessible be saved as source code? There are many methods. The simplest way is to delete "asp" in "application file ing" in IIS.

postscript
Based on your own experience, you can basically obtain webshell as long as you can access the background management of ewebeditor. Search for "ewebeditor. asp?" on Google? Id = "shows more than ten pages of relevant information. I checked several of them and found that the success rate was about 50%. Not bad? In earlier versions of oblg 2.52, ewebeditor is also used. You can search for several trainers. What's terrible is that the official website and help files of ewebeditor do not have any security tips in this regard. Also, I found that the official test system does not have similar vulnerabilities. It seems that they do not know, but do not take the network security of free users into consideration!