From bdf2d44415b42e822b445b1c784093601eaffc2b Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Tue, 23 Oct 2018 07:04:14 -0500
Subject: [PATCH] Augment check with Apache Server header

---
 .../unix/webapp/jquery_file_upload.rb         | 23 ++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/modules/exploits/unix/webapp/jquery_file_upload.rb b/modules/exploits/unix/webapp/jquery_file_upload.rb
index e4dd98c386..724d091eb6 100644
--- a/modules/exploits/unix/webapp/jquery_file_upload.rb
+++ b/modules/exploits/unix/webapp/jquery_file_upload.rb
@@ -76,6 +76,8 @@ class MetasploitModule < Msf::Exploit::Remote
   end
 
   def check
+    a = nil
+
     version_paths.each do |u|
       vprint_status("Checking #{u}")
 
@@ -84,14 +86,29 @@ class MetasploitModule < Msf::Exploit::Remote
         'uri'    => u
       )
 
-      next unless res && res.code == 200 && (j = res.get_json_document) &&
+      next unless res
+
+      unless a
+        res.headers['Server'] =~ /Apache\/([\d.]+)/ &&
+          $1 && (a = Gem::Version.new($1))
+
+        # We have to make some assumptions about configuration here
+        if a && a >= Gem::Version.new('2.3.9')
+          vprint_good("Found Apache #{a} (AllowOverride None)")
+        elsif a
+          vprint_error("Found Apache #{a} (AllowOverride All)")
+          return CheckCode::Safe
+        end
+      end
+
+      next unless res.code == 200 && (j = res.get_json_document) &&
                   j['version'] && (v = Gem::Version.new(j['version']))
 
       if v <= Gem::Version.new('9.22.0')
-        vprint_good("Found unpatched version #{v}")
+        vprint_good("Found unpatched jQuery File Upload #{v}")
         return CheckCode::Appears
       else
-        vprint_error("Found patched version #{v}")
+        vprint_error("Found patched jQuery File Upload #{v}")
         return CheckCode::Safe
       end
     end