Shulou(Shulou.com)05/31 Report--

This article introduces the Kindeditor loophole led to the site was implanted Trojan file solution is what, the content is very detailed, interested friends can refer to, hope to be helpful to everyone.

Many companies are using Kindeditor open source image upload system, the upload system is visual, the development language supports asp, aspx, php, jsp, almost all websites can use their upload system, browser compatibility and mobile end is also quite good, user use and editing upload aspects have been liked by many users.

In front-end time, when we conducted a comprehensive website vulnerability detection for SINE security, we found that there were serious upload vulnerabilities in Kindeditor. Many corporate websites and public institutions' websites were uploaded illegal content, including some gambling bo content. From our security monitoring platform, we found that in March, April and May 2019, website attacks using Kindeditor vulnerabilities were becoming more and more serious. Some websites were also blocked by Aliyun and prompted that the content of the site was banned. Let's take a look at the details of the loopholes in the site.

The backstage of many attacked websites use Kindeditor editors and upliad_json components to upload pictures, documents and other files. At present, the version of the vulnerability is below Kindeditor 4.1.5, and the code file that occurs is in the upload_json.php code, which does not securely check the format and size of the file uploaded by the user, so that the user can forge malicious files for upload. In particular, html files can be uploaded directly to the directory of the website and directly crawled and included by search engines.

To reproduce this Kindeditor upload vulnerability, we first use the Linux centos system, and the database uses MySQL5.6,PHP version 5.4. we copy the source code of Kindeditor 4.1.5 to the newly built server. We access the http://127.0.0.1/Kindeditor/php/demo.php screenshot as follows:

After opening the upload page, we can find that the uploaded file format supports htm,html by default, including the html we uploaded can be executed using XSS cross-site attack script code. Attackers take advantage of this website loophole to upload in batch, hijack the snapshot of the website, and collect some illegal and illegal content URL.

How can you tell if the site uses a Kindeditor editor?

1.kindeditor/asp/upload_json.asp?dir=file

2.kindeditor/asp.net/upload_json.ashx?dir=file

3.kindeditor/jsp/upload_json.jsp?dir=file

4.kindeditor/php/upload_json.php?dir=file

There is also a loophole that can upload Webshell, you can upload asp,php and other script files directly to the directory of the website, upload an image first, then open file management to find the name of the image we just uploaded, click here, we use Firefox browser to view the elements, find the FORM form, change the suffix JPG to PHP, and then click modify. It can cause the picture file to be changed to script execution.

Solutions and methods for repairing loopholes in Kindeditor website

The vulnerability has a wide range of influence and attacks, which are generally corporate websites and government institutions. Attackers take advantage of the upload loophole to upload some html files of spinach and other contents to hijack Baidu snapshots. It is recommended to delete the upload function, or limit the upload format in the code, remove the upload permission of html,htm, and only upload picture format and word text.

About the Kindeditor loophole caused the website to be implanted Trojan file solution is what is shared here, I hope the above content can be of some help to everyone, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.