Hi,
Welcome to my blog!
In this post, I write about 3 unauthenticated remote code execution vulnerabilities in YouPHPTube-Encoder, the encoder of YouPHPTube.
If you like sharing video, you might already know YouPHPTube, the open-source application written in PHP for constructing a streaming site that can clone videos from YouTube, Netflix,...
The 3 vulnerabilities are named CVE-2019-5127, CVE-2019-5128, and CVE-2019-5129. All of them have one thing in similar: the parameter base64Url is base64 decoded and then executed inside the function exec().
Firstly, they are found by Yuri Kramarz of Security Advisory EMEAR and disclosed by Talos Intelligence.
Then the command is executed by the function exec():
Because our command is executed inside the function exec(), the result will not return in the HTTP response. However, we can use DNS exfiltration to get data from DNS requests. You can use your own DNS server or some free online services like DNSBin.
For example, let's use nslookup to make a DNS request with the result of the command inject to the subdomain I take from DNSBin:
Then just see the result in the DNS log:
The technique above is very stealthy but may be slow and complicated. If you want an easier and faster one, you can make a web shell to execute commands.
Sometimes, the webserver is configured to disable dangerous functions in PHP by the directive disable_functions. However, you can still bypass it with JSON serializer.
I've written a blog post about it.
Finally, if you don't mind that the admin detects you're exploiting his server, you can make a reverse shell connects directly back to your VPS.
If you found it valuable, please share it with other people.
If you have any questions, please don't hesitate to ask me on Twitter or leave a comment.
Thank you for reading!
Welcome to my blog!
In this post, I write about 3 unauthenticated remote code execution vulnerabilities in YouPHPTube-Encoder, the encoder of YouPHPTube.
If you like sharing video, you might already know YouPHPTube, the open-source application written in PHP for constructing a streaming site that can clone videos from YouTube, Netflix,...
The 3 vulnerabilities are named CVE-2019-5127, CVE-2019-5128, and CVE-2019-5129. All of them have one thing in similar: the parameter base64Url is base64 decoded and then executed inside the function exec().
Firstly, they are found by Yuri Kramarz of Security Advisory EMEAR and disclosed by Talos Intelligence.
CVE-2019-5127
In the file getImage.php, the parameter base64Url is ba64 decoded and then inserted to a command string without any validation or sanitization:
Then the command is executed by the function exec():
CVE-2019-5128
This one is very similar to the vulnerability above, it resides in the file getImageMP4.php.CVE-2019-5129
And also in the file getSpiritsFromVideo.php.Exploit
First, you could search for many YouPHPTube-Encoder instances by using BinaryEdge. Sorry but Shodan shows too few results in this case.
Because our command is executed inside the function exec(), the result will not return in the HTTP response. However, we can use DNS exfiltration to get data from DNS requests. You can use your own DNS server or some free online services like DNSBin.
For example, let's use nslookup to make a DNS request with the result of the command inject to the subdomain I take from DNSBin:
Then just see the result in the DNS log:
The technique above is very stealthy but may be slow and complicated. If you want an easier and faster one, you can make a web shell to execute commands.
Sometimes, the webserver is configured to disable dangerous functions in PHP by the directive disable_functions. However, you can still bypass it with JSON serializer.
I've written a blog post about it.
Finally, if you don't mind that the admin detects you're exploiting his server, you can make a reverse shell connects directly back to your VPS.
If you found it valuable, please share it with other people.
If you have any questions, please don't hesitate to ask me on Twitter or leave a comment.
Thank you for reading!
Comments
Post a Comment