nuclei-templates/vulnerabilities/other/ueditor-file-upload.yaml

id: ueditor-file-upload
info:
  name: UEditor Arbitrary File Upload
  author: princechaddha
  severity: high
  description: A vulnerability in UEditor allows remote unauthenticated attackers to upload arbitrary files to the server, this in turn can be used to make the application to execute their content as code.
  reference:
    - https://zhuanlan.zhihu.com/p/85265552
    - https://www.freebuf.com/vuls/181814.html
  tags: ueditor,fileupload

requests:
  - method: GET
    path:
      - "{{BaseURL}}/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "没有指定抓取源"
        part: body
Create ueditor-file-upload.yaml 2021-04-23 12:15:09 +00:00			`id: ueditor-file-upload`
			`info:`
			`name: UEditor Arbitrary File Upload`
			`author: princechaddha`
			`severity: high`
Add description 2021-10-25 09:58:22 +00:00			`description: A vulnerability in UEditor allows remote unauthenticated attackers to upload arbitrary files to the server, this in turn can be used to make the application to execute their content as code.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Create ueditor-file-upload.yaml 2021-04-23 12:15:09 +00:00			`- https://zhuanlan.zhihu.com/p/85265552`
			`- https://www.freebuf.com/vuls/181814.html`
			`tags: ueditor,fileupload`

			`requests:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/ueditor/net/controller.ashx?action=catchimage&encode=utf-8"`
			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`
			`- type: word`
			`words:`
			`- "没有指定抓取源"`
			`part: body`