I. Source code analysis
/src/main/java/com/geekcattle/controller/console/UeditorController.java
File upload. When an exception of file extension is detected, no exit or return.
II. Vulnerability testing
Ueditor editor, upload pictures.
The front end validates the file extension, so you need to upload a normal image file.
After using BurpSuite to intercept, modify the upload file name and content.
Geek-framework is a java development framework; the ueditor plug-in here is incomplete, but the back door is uploaded.
I. Source code analysis /src/main/java/com/geekcattle/controller/console/UeditorController.java File upload. When an exception of file extension is detected, no exit or return.
II. Vulnerability testing
Ueditor editor, upload pictures.
The front end validates the file extension, so you need to upload a normal image file.
After using BurpSuite to intercept, modify the upload file name and content.
Geek-framework is a java development framework; the ueditor plug-in here is incomplete, but the back door is uploaded.