0x00 概述
8月21日,网上爆出ueditor .net版本getshell漏洞,由于只校验ContentType而没校验文件后缀导致getshell。
0x01 漏洞重现
Payload:
shell addr:
图片马x.jpg放在自己服务器上
提交http://www.domain.top/x.jpg?.aspx
返回:
菜刀连接:
0x02 修复方案
增加文件扩展名校验(白名单)
0x03 漏洞分析
ueditor1_4_3_3-utf8-net\utf8-net\net\controller.ashx
using System;
using System.Web;
using System.IO;
using System.Collections;
using Newtonsoft.Json;
public class UEditorHandler : IHttpHandler
{
public void ProcessRequest(HttpContext context)
{
Handler action = null;
switch (context.Request["action"])
{
case "config":
action = new ConfigHandler(context);
break;
case "uploadimage":
action = new UploadHandler(context, new UploadConfig()
{
AllowExtensions = Config.GetStringList("imageAllowFiles"),
PathFormat = Config.GetString("imagePathFormat"),
SizeLimit = Config.GetInt("imageMaxSize"),
UploadFieldName = Config.GetString("imageFieldName")
});
break;
case "uploadscrawl":
action = new UploadHandler(c