Wangqi CWMS Enterprise Website Management System 3.0 editor vulnerability and repair

Powered by wqCWMS 3.0

Default Account password:WangqiWagnqi(I can't find another way to get the account password)

Go to the background, add an article, and check the editor.

Then browse the server,FckYou must preview the uploaded image first.The JHACKJ method creates an image Trojan.

(New image 1.jpgAnd insert a sentence TrojanTxt, In this directoryCmdRun:Copy/B 1.jpg1_1.txt 5.jpg)

Uploaded5.asp;.jpg,Changed5_asp;.jpgIn the upload step, 5_asp;(1).jpg

 

 

Tragedy

 

It seems that this road is disconnected, and then try 5.asp; jpgCannot upload

Then let's look at Baidu to see if there are any other methods.
Actually found:

4.1: SubmitShell. php +Space Bypass
However, spaces are only supported.WinSystem* NixIs not supported[Shell. phpAndShell. php +Space is2Different files Not tested.
4.2: Continue to upload files with the same name.Shell.php(1).jpgYou can also create a folder and only check the first-level directory. Skip to the second-level directory is unrestricted.

Unfortunately, I still cannot. When I was about to delete the pony that failed to upload, I suddenly found that right-click and rename, decisiveRename
 

 

Okay, powerfulRename

 

 

 

 

 

Okay, it turns out to be...Is the latest versionFckSee the previous figure !!

This is the official website address:

 

Fix: do not need to change the default password. The editor vulnerability is also an old problem. See previous articles.