Ewebeditor: The website of the stealth bomb _ Trojan related

Webmaster in the use of ewebeditor when found, Ewebeditor improperly configured will make it become the site of the stealth bomb it? The first time it was discovered that the loophole originated from an invasion last year, found Ewebeditor at the end of the tether, so it was easy to get Webshell. Then there are several times to use Ewebeditor to carry out the successful invasion of the experience, this just remembered should write an article and everyone share, but also please the general has used the Ewebeditor webmaster hurriedly check their site. Otherwise, you are the next one to be black!

Vulnerability utilization
The steps to obtain Webshell using Ewebeditor are as follows:
1. Make sure the site uses Ewebeditor. Generally speaking, we can make a general judgment by paying attention to whether the page with the post (article) has a similar icon.
2. Look at the source code and find the path to the Ewebeditor. Click "View Source" to see if there is a similar "<iframe id= ' eWebEditor1 ' src= '/edit/ewebeditor.asp?id=content&style=web ' in the source code" frameborder =0 scrolling=no width= ' a ' and ' height= ' ></iframe> ' statement. In fact, only found the existence of such a statement, you can really determine the site using the Ewebeditor. Then write down src= ' * * * in the "* * *", this is the ewebeditor path.
3. Access the Ewebeditor Admin login page. The default admin page for Ewebeditor is admin_login.asp, and ewebeditor.asp is in the same directory. Take the above path for example, we visited the address: http://www.***.net/edit/admin_login.asp, to see if there is a login page.
If you do not see such a page, the administrator has deleted the management login page, hehe, wait for what, leave Ah, try another place. But generally speaking, I rarely see any admin deleted this page, try the default username: admin, Password: admin888. What do you think? Success (not the default account, please see the text)!
4. Increase the upload file type. Why do you want to select the style below in the list by clicking "Style Management" and selecting the "setting" in the list below? Because the Ewebeditor style is not allowed to be modified, of course you can also copy a new style to set.

Then add the "ASA" type in the uploaded file type.

5. Upload ASP trojan, get Webshell. Next to the ASP Trojan extension to ASA, you can simply upload your ASP trojan. Don't ask me how to upload ah, see "Preview" it? Click "Preview" and select the "Insert other File" button.

Vulnerability principle
The exploit principle is very simple, please see Upload.asp file:
Uploading ASP script files is not allowed under any circumstances
Sallowext = Replace (UCase (Sallowext), "ASP", "")
Because ewebeditor only filters the ASP file. I remember the first time I used ewebeditor when I was wondering: since the author already know that the ASP files need to filter, why not simultaneously filter ASA, CER and other documents? Perhaps this is the irresponsible performance of the free user!

Advanced Applications
Ewebeditor's exploits also have some tips:
1. You cannot log on using the default username and password.
Please try to download the DB directory directly under the Ewebeditor.mdb file, username and password in the Ewebeditor_system table, after the MD5 encryption, if unable to download or can not crack, then when their own bad luck.
2. The ASA type was added and found unable to upload.
Should be the webmaster understand point code, their own modified upload.asp file, but no relationship, according to ordinary people's thinking habits, often directly in Sallowext = Replace (UCase (Sallowext), "ASP", "") A sentence on the amendment, I have seen a webmaster to modify this:
Sallowext = replace (replace (replace (sallowext), "ASP", ""), "CER", "" "," ASA "," ")," CDX "," ")," HT R "," ")
A look at what all filtered, but we simply add "AASPSP" in the upload type, you can upload the ASP file directly. Oh, is not the idea of genius? "AASPSP" Filtered "asp" character, but instead became "ASP"! By the way, let me tell you a secret, in fact, dynamic Network Forum 7.0 SP2 can also use similar methods to bypass the filtering of extensions.
3. After uploading the ASP file, it is found that the directory does not have permission to run scripts.
Oh, really very stupid ah, upload type can be changed, upload path can not also be modified? Take a closer look at figure four.
4. The method in the 2nd is already in use, but the ASP type is still unable to upload.
It seems that the webmaster is a master of writing ASP, but we have the last recruit against him: see figure three, "remote type"? Ewebeditor can set the type of automatic save remote file, we can add ASP type. But how can remote-access ASP files be saved in source form? The easiest way to do this is to remove "ASP" from the "Apply file mapping" in IIS.

Postscript
According to own experience, almost as long as can enter ewebeditor backstage management, basically can obtain Webshell. Google search for "ewebeditor.asp?id=" to see more than 10 pages of relevant information, I have a general sampling of several of them, found success rate of about 50%. Isn't it good? OBLG version 2.52 is also used ewebeditor, can go to search a few to practice practicing. Ewebeditor's official website and help files do not have this security hint at all. Also, I found that the official test system does not have a similar loophole, it seems not that they do not know, but did not put the free users of the network safety at heart!