标签:XML UEditor 10 web png https ueditor com ###
## **一、Ueditor最新版XML文件上传导致存储型XSS** ### 测试版本:php版 v1.4.3.3 ### 下载地址:https://github.com/fex-team/ueditor 复现步骤: ### 1\. 上传一个图片文件 ![1.png](http://www.icode9.com/i/li/?n=2&i=images/20210619/1624088283473552.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) ### 2\. 然后buprsuit抓包拦截 ![2.png](http://www.icode9.com/i/li/?n=2&i=images/20210619/1624088290217022.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) ### 3.将uploadimage类型改为uploadfile,并修改文件后缀名为xml,最后复制上xml代码即可 ![3.png](http://www.icode9.com/i/li/?n=2&i=images/20210619/1624088300983842.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) ### 4\. 即可弹出xss ![4.png](http://www.icode9.com/i/li/?n=2&i=images/20210619/1624088307656281.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) ### 请注意http://controller.xxx的访问路径 http://192.168.10.1/ueditor1433/php/controller.php?action=listfile ![5.png](http://www.icode9.com/i/li/?n=2&i=images/20210619/1624088318722850.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=) ### 常见的xml弹窗POC: 弹窗xss: ``` <body>