CVE-2018-9206:  Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0

    Alternatively known as the "eight year zero day".  Lots of vulnerabilities going unnoticed although eight years seems like a bit much.

    I found this vulnerable version, set it up on a server, and decided to play around with an automated version of:

    <?php $cmd=$_GET['cmd']; system($cmd);?>

    Exploit-DB has an exploit already but you can use curl -F to upload a shell with the above syntax.  You could push up a reverse shell as well but I got to thinking, what if I did a little bit of automation:


    A while back, I wrote about a buffer overflow I discovered while tackling a CTF style box.  It's not a complete guide to buffer overflow but if you have some basic instructions on "how to", you can fill in those gaps that I've left unwritten. 

    When I first learned of buffer overflows, I was sort of following along with blind faith, hoping it would all work out in the end.  At a certain point though, the tools we use become more familiar through other use.  For example, MSFVenom will become widely used for more than just generating shellcode for buffer overflows.  You'll go from mindlessly retying the text you see to understanding what you're actually typing.  And then, hopefully, wanting to test what you're doing prior to pointing it at your victim machine.

    In the line below, I'm generating Linux shellcode, the architecture is 64 bit, the shellcode will spawn a reverse shell, host and port are pointing back to my box, my format is C code, and I'm excluding the bad characters which could muck up the execution. Like the buffer overflow explanation in the above referenced post, I'm not drilling down completely because a lesson on why null byte, line feed, and carriage return could / will cause problems is an entire post on its own.


    While talking with a client this morning, I started to get nerdy about passwords and password managers.  A few things I emphasized were that passwords should be unique across all logins, password managers should be used by everyone, and saving passwords in Chrome (and other browsers) is a risky proposition.  

    I've actually wanted to write this up for a while now but the conversation this morning motivated me to put the pen to the paper.  So here we are....

    The actual time it took to root the box was just a few minutes and the setup actually took longer.  I wanted to have a Windows 10 Pro machine, fully patched, and running current antivirus. 

    As a side note, there's a misconception that antivirus will protect you.  Antivirus is a must but it's trivial to get around as you'll see in a moment.  


    I sent an email to a vendor asking for a document and when the vendor replied to my email with the document attached, the document was password protected.  He said as much and he also said that I could probably crack it.  He is correct.  

    I've probably cracked a PDF once or twice.  I've probably also cracked a few ZIP files, RAR files, and various other files with passwords but I think you get the point.  Essentially, most of these types of files will all crack the same way -- John the Ripper.  

    There are a couple of John the Ripper versions but somewhere along the way, I discovered that the Jumbo John package is the one to use for cracking ZIPs and RAR files.  I don't know whether PDFs fall under that some umbrella but that's where I went.  


    This is something I should have done a long time ago.  I'm frequently hopping on a server and creating a manual backup prior to doing [something].  It's not like this task is complicated but as I was about to manually go through the steps this morning, I thought -- let's finally automate this process.

    There's actually a one-liner for mysqldump but for some reason, it didn't work so I went a different route with the variables at the top which makes it a little easier when recycling this script on another server.


    © 2020 sevenlayers.com