aradBlogs 1.2.8d shell uploadd remote administrative access

2010.09.13
Credit: Abysssec
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

''' __ __ ____ _ _ ____ | \/ |/ __ \ /\ | | | | _ \ | \ / | | | | / \ | | | | |_) | | |\/| | | | |/ /\ \| | | | _ < | | | | |__| / ____ \ |__| | |_) | |_| |_|\____/_/ \_\____/|____/ http://www.exploit-db.com/moaub10-aradblog-multiple-remote-vulnerabilities/ ''' Abysssec Inc Public Advisory Title : aradBlog Multiple Remote Vulnerabilities Affected Version : <= 1.2.8 Discovery : www.abysssec.com Vendor : http://www.arad-itc.com/ Impact : Critial Download Links : http://aradblog.codeplex.com/ Admin Page : http://Example.com/login.aspx Remotely Exploitable Yes Locally Exploitable No Description : =========================================================================================== 1- Remote Admin Access: In this latest of aradBlog you can access to Admin's dashboard with this virtual Path The value 'mainadmin' is a virtual path that defines in this DLL: App_Web_eqzheiif.dll and FastObjectFactory_app_web_eqzheiif class. Vulnerable code: ... public mainadmin_main_aspx() { this.AppRelativeVirtualPath = "~/mainadmin/Main.aspx"; ... } ... PoC: http://Exapmle.com/mainadmin/Main.aspx 2- Arbitrary File Upload you can upload any malicious file using this path: http://Example.com/mainadmin/downloads.aspx if you upload a shell.aspx for example,it will be in this path: shell.aspx ---> http://Example.com/downloads/uploads/2010_7_25_shell.aspx Note that : the value 2010_7_25 is the exact date of server.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top