When the webmaster uses eWebEditor, did he find that improper configuration of eWebEditor will make it an invisible bomb in the website? The first time I discovered this vulnerability was caused by an intrusion last year. I discovered eWebEditor at the end of my life, so I simply obtained WebShell. Later, I had several successful experiences of using eWebEditor for intrusion. Then I remembered that I should write an article to share with you. At the same time, I also asked the webmasters who have already used eWebEditor to quickly check their own site. Otherwise, you will be the next one to be hacked!
Vulnerability exploitation
The steps to obtain WebShell using eWebEditor are roughly as follows:
1. Make sure the website uses eWebEditor. Generally speaking, we can make a rough judgment as long as we pay attention to whether the page where the post (article) has similar icons.
2. Check the source code and find the path to the eWebEditor. Click "View source code" to see if there is a statement similar to "<iframeID='eWebEditor1'src='/edit/ewebeditor.asp?id=content&style=web'frameborder=0scrolling=nowidth='550'HEIGHT='350'></iframe>" in the source code. In fact, only by discovering such a statement can you truly confirm that this website uses eWebEditor. Then note the "***" in src='***, which is the eWebEditor path.
3. Visit the eWebEditor's administrative login page. The default management page of eWebEditor is admin_login.asp, and it is in the same directory as ewewebeditor.asp. Take the above path as an example. The address we visited is: http://www.***.net/edit/admin_login.asp to see if the login page appears.
If you don’t see such a page, it means that the administrator has deleted the management login page. Haha, what are you waiting for? Leave, try a different place. But generally speaking, I rarely see any administrator deleted this page. Try the default username: admin and password: admin888. How about it? It's successful (if you are not the default account, please read the following text)!
4. Increase the upload file type. Click "Style Management" and select the "settings of a certain style under the list. Why choose the style under the list? Because the styles provided by eWebEditor are not allowed to be modified, of course you can also copy a new style to set them.
Then add the "asa" type to the uploaded file type.
5. Upload the ASP Trojan and get WebShell. Next, modify the extension of the ASP Trojan to asa, and you can simply upload your ASP Trojan. Don’t ask me how to upload it. Have you seen the “preview”? Click "Preview" and then select the "Insert Other Files" button.
The principle of vulnerability
The principle of exploiting vulnerabilities is very simple, please see the Upload.asp file:
Uploading asp script files under no circumstances is allowed
sAllowExt=Replace(UCase(sAllowExt),"ASP","")
Because eWebEditor only filters ASP files. I remember when I first used eWebEditor, I wondered: Since the author already knows that asp files need to be filtered, why not filter asa, cer and other files at the same time? Maybe this is a sign of irresponsibility to free users!
Advanced Applications