## **一、Ueditor最新版XML
文件上传导致存储型XSS**
### 测试版本:
PHP版 v1.4.3.3
### 下载地址:https://github.com/fex-team/ueditor 复现步骤:
### 1\.
上传一个图片文件
![1.png](http://www.icode9.com/i/li/?n=2&i=images/20210619/1624088283473552.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
### 2\. 然后buprsuit抓包
拦截
![2.png](http://www.icode9.com/i/li/?n=2&i=images/20210619/1624088290217022.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
### 3.将upload
Image类型改为uploadfile,并
修改文件后缀名为xml,最后复制上xml
代码即可
![3.png](http://www.icode9.com/i/li/?n=2&i=images/20210619/1624088300983842.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
### 4\. 即可弹出xss
![4.png](http://www.icode9.com/i/li/?n=2&i=images/20210619/1624088307656281.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
### 请注意http://controller.xxx的访问路径
http://192.168.10.1/ueditor1433/
PHP/controller.
PHP?action=listfile
![5.png](http://www.icode9.com/i/li/?n=2&i=images/20210619/1624088318722850.png?,size_14,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_20,type_ZmFuZ3poZW5naGVpdGk=)
### 常见的xml弹窗POC:
弹窗xss:
```
<body>
alert(1);