aradblog – Multiple Vulnerabilities

• Exploit Database
• 121 阅读

• 作者： Abysssec
  日期： 2010-09-09
• 类别：

  • webapps
  平台：

  • asp
• 来源：https://www.exploit-db.com/exploits/14954/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69

  &apos;&apos;&apos; ________ __ ____ |\/|/ __ \ /\| || |_ \ | \/ | || | /\ | || | |_) | | |\/| | || |/ /\ \| || |_ < | || | |__| / ____ \ |__| | |_) | |_||_|\____/_/\_\____/|____/   http://www.exploit-db.com/moaub10-aradblog-multiple-remote-vulnerabilities/ &apos;&apos;&apos;     Abysssec Inc Public Advisory Title:aradBlog Multiple Remote Vulnerabilities Affected Version :<= 1.2.8 Discovery:www.abysssec.com Vendor :http://www.arad-itc.com/ Impact :Critial Download Links :http://aradblog.codeplex.com/ Admin Page :http://Example.com/login.aspx   Remotely Exploitable Yes Locally Exploitable No   Description : ===========================================================================================   1- Remote Admin Access:   In this latest of aradBlog you can access to Admin&apos;s dashboard with this virtual Path The value &apos;mainadmin&apos; is a virtual path that defines in this DLL:App_Web_eqzheiif.dll andFastObjectFactory_app_web_eqzheiif class.   Vulnerable code: ...   public mainadmin_main_aspx() { this.AppRelativeVirtualPath = "~/mainadmin/Main.aspx"; ... } ...   PoC:   http://Exapmle.com/mainadmin/Main.aspx       2- Arbitrary File Upload   you can upload any malicious file using this path:   http://Example.com/mainadmin/downloads.aspx   if you upload a shell.aspx for example,it will be in this path:   shell.aspx--->http://Example.com/downloads/uploads/2010_7_25_shell.aspx Note that : the value 2010_7_25 is the exact date of server.   ===========================================================================================