Multiple unauthenticated remote code execution vulnerabilities in YouPHPTube-Encoder 2.3

Welcome to my blog!

In this post, I write about 3 unauthenticated remote code execution vulnerabilities in YouPHPTube-Encoder, the encoder of YouPHPTube.
If you like sharing video, you might already know YouPHPTube, the open-source application written in PHP for constructing a streaming site that can clone videos from YouTube, Netflix,...

The 3 vulnerabilities are named CVE-2019-5127, CVE-2019-5128, and CVE-2019-5129. All of them have one thing in similar: the parameter base64Url is base64 decoded and then executed inside the function exec().

Firstly, they are found by Yuri Kramarz of Security Advisory EMEAR and disclosed by Talos Intelligence.


In the file getImage.php, the parameter base64Url is ba64 decoded and then inserted to a command string without any validation or sanitization:

Then the command is executed by the function exec():


This one is very similar to the vulnerability above, it resides in the file getImageMP4.php.


And also in the file getSpiritsFromVideo.php.


First, you could search for many YouPHPTube-Encoder instances by using BinaryEdge. Sorry but Shodan shows too few results in this case.

Because our command is executed inside the function exec(), the result will not return in the HTTP response. However, we can use DNS exfiltration to get data from DNS requests. You can use your own DNS server or some free online services like DNSBin.

For example, let's use nslookup to make a DNS request with the result of the command inject to the subdomain I take from DNSBin:

Then just see the result in the DNS log:

The technique above is very stealthy but may be slow and complicated. If you want an easier and faster one, you can make a web shell to execute commands.

Sometimes, the webserver is configured to disable dangerous functions in PHP by the directive disable_functions. However, you can still bypass it with JSON serializer.
I've written a blog post about it.

Finally, if you don't mind that the admin detects you're exploiting his server, you can make a reverse shell connects directly back to your VPS.

If you found it valuable, please share it with other people.
If you have any questions, please don't hesitate to ask me on Twitter or leave a comment.
Thank you for reading!