No description, website, or topics provided.
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information. Altered the uploaded PHP file so it deletes itself Oct 31, 2018 Update Oct 30, 2018
requirements.txt Initial commit Oct 30, 2018

PoC for CVE-2018-9206


Based on the following:

original Poc

Python Poc


usage: [-h] [-p PREFIX] [-u USER_AGENT] host

CVE-2018-9206 PoC, initial release by Den1al, enhanced by NopSec

positional arguments:
  host                  the host to check, host:port, or CIDR range

optional arguments:
  -h, --help            show this help message and exit
  -p PREFIX, --prefix PREFIX
                        The prefix for the path
  -u USER_AGENT, --user-agent USER_AGENT
                        The user agent to send the requests with


pip3 install -r requirements.txt

Useful stuff to know

  • The path prefix is set to "jQuery-File-Upload-9.22.0", this may not reflect the default path of the vulnerable files on your server(s). If the default setting fails I'd recommend trying "jQuery-File-Upload".

  • There is no output for hosts that are not vulnerable.


Larry Cashdollar

Daniel Abeles

Shawn Evans