[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MOAUB #10 - aradBlog Multiple Remote Vulnerabilities
# Published : 2010-09-09
# Author : Abysssec
# Previous Title : Symphony 2.0.7 Multiple Vulnerabilities
# Next Title : FCMS 2.2.3 Remote File Inclusion Vulnerability
'''
__ __ ____ _ _ ____
| / |/ __ / | | | | _
| / | | | | / | | | | |_) |
| |/| | | | |/ / | | | | _ <
| | | | |__| / ____ |__| | |_) |
|_| |_|____/_/ _____/|____/
http://www.exploit-db.com/moaub10-aradblog-multiple-remote-vulnerabilities/
'''
Abysssec Inc Public Advisory
Title : aradBlog Multiple Remote Vulnerabilities
Affected Version : <= 1.2.8
Discovery : www.abysssec.com
Vendor : http://www.arad-itc.com/
Impact : Critial
Download Links : http://aradblog.codeplex.com/
Admin Page : http://Example.com/login.aspx
Remotely Exploitable
Yes
Locally Exploitable
No
Description :
===========================================================================================
1- Remote Admin Access:
In this latest of aradBlog you can access to Admin's dashboard with this virtual Path
The value 'mainadmin' is a virtual path that defines in this DLL: App_Web_eqzheiif.dll and FastObjectFactory_app_web_eqzheiif class.
Vulnerable code:
...
public mainadmin_main_aspx()
{
this.AppRelativeVirtualPath = "~/mainadmin/Main.aspx";
...
}
...
PoC:
http://Exapmle.com/mainadmin/Main.aspx
2- Arbitrary File Upload
you can upload any malicious file using this path:
http://Example.com/mainadmin/downloads.aspx
if you upload a shell.aspx for example,it will be in this path:
shell.aspx ---> http://Example.com/downloads/uploads/2010_7_25_shell.aspx
Note that : the value 2010_7_25 is the exact date of server.
===========================================================================================