Recommended: Interpret the general anti-SQL injection attack code in ASP programs SQL Injection General http requests are nothing more than get and post, so as long as we filter all illegal characters in the parameter information of post or get requests in the file, we can prevent SQL injection attacks. The get request passed by IIS to asp.dll is in the form of a string. When the data is passed to Request.QueryString, the asp parser will analyze Request.QueryString.
First, we introduce some default features of the editor:Default login admin_login.asp
Default database db/ewebeditor.mdb
Default account admin password admin or admin888
Search inurl:ewebeditor on baidu/google
There are at least a few thousand websites out there with default features, so try the default backend.
http://www.xxx.com.cn/admin/ewebeditor/admin_login.asp
Try logging in with the default account and password.
The steps to obtain WebShell using eWebEditor are roughly as follows:
1. Make sure the website uses eWebEditor. Generally speaking, we only need to pay attention to whether the page where the post (article) is published has a similar marked icon, and we can make a rough judgment.
2. View the source code and find the path of eWebEditor. Click to view the source code to see if there are statements similar to <iframesrc='/edit/ewebeditor.asp?id=content&style=web'frameborder=0scrolling=nowidth='550'HEIGHT='350'></iframe> in the source code . In fact, only by discovering the existence of such a statement can we truly be sure that this website uses eWebEditor. Then write down *** in src='***', this is the eWebEditor path.
3. Visit the management login page of eWebEditor. The default management page of eWebEditor is admin_login.asp, which is in the same directory as ewebeditor.asp. Taking the above path as an example, the address we visited is: http://www.***.net/edit/admin_login.asp to see if the login page appears.
If you don’t see such a page, it means that the administrator has deleted the management login page. Haha, what are you waiting for? Just leave and try somewhere else. But generally speaking, I rarely see any administrator delete this page. Try the default username: admin, password: admin888. How about it? Is it successful (please see the following article if it is not the default account)!
4. Add upload file types. Click Style Management and select any style setting at the bottom of the list. Why should you select the style at the bottom of the list? Because the styles that come with eWebEditor are not allowed to be modified, of course you can also copy a new style and set it.
Then add the asa type to the uploaded file type.
5. Upload the ASP Trojan and obtain WebShell. Next, change the extension of the ASP Trojan to asa, and you can simply upload your ASP Trojan. Don't ask me how to upload it. Have you seen the preview? Just click Preview and then select the button to insert other files.
Vulnerability principle
The principle of exploiting the vulnerability is very simple, please see the Upload.asp file:
Uploading asp script files is not allowed under any circumstances
sAllowExt=Replace(UCase(sAllowExt),ASP,)
Because eWebEditor only filters ASP files. I remember that when I first used eWebEditor, I was wondering: Since the author already knew that asp files needed to be filtered, why not filter asa, cer and other files at the same time? Maybe this is a sign of irresponsibility to free users!
Advanced applications
There are also some tips for exploiting eWebEditor vulnerabilities:
1. Unable to log in using the default username and password.
Please try directly downloading the ewebeditor.mdb file in the db directory. The username and password are in the eWebEditor_System table and have been md5 encrypted. If you cannot download or crack it, consider yourself out of luck.
2. After adding the asa type, I found that it still could not be uploaded.
It should be that the webmaster knows some code and modified the Upload.asp file himself, but it doesn't matter. According to ordinary people's thinking habits, they often modify it directly on the sentence sAllowExt=Replace(UCase(sAllowExt),ASP,). I have seen it. One webmaster modified it like this:
sAllowExt=Replace(Replace(Replace(Replace(Replace(UCase(sAllowExt),ASP,),CER,),ASA,),CDX,),HTR,)
At first glance, everything is filtered, but as long as we add aaspsp to the upload type, we can directly upload asp files. Haha, isn’t it a genius idea? After aaspsp filtered the asp characters, it turned into asp! By the way, let me tell you a secret. In fact, similar methods can be used to bypass extension filtering in Dongwang Forum 7.0sp2.
3. After uploading the asp file, I found that the directory did not have permission to run the script.
Haha, I’m so stupid. The upload type can be changed, but can’t the upload path also be modified?
4. The method in point 2 has been used, but the asp type still cannot be uploaded.
It seems that the webmaster must be a master of writing asp, but we have one last trick to deal with him: eWebEditor can set the type of automatic saving of remote files, and we can add the asp type. But how can we enable remote access to asp files to be saved in source code form? There are many methods, the simplest method is to delete asp in the application file mapping in IIS.
Share: Display in red the record keywords obtained when ASP queries data % response.write replace(rs(field com/]