CVE-2019-5127

CVE-2019-5128

CVE-2019-5129

Exploit

Hi,Welcome to my blog!In this post, I write about 3 unauthenticated remote code execution vulnerabilities in YouPHPTube-Encoder , the encoder of YouPHPTube If you like sharing video, you might already know YouPHPTube, the open-source application written in PHP for constructing a streaming site that can clone videos from YouTube, Netflix,...The 3 vulnerabilities are named CVE-2019-5127 CVE-2019-5128 , and CVE-2019-5129 . All of them have one thing in similar: the parameteris base64 decoded and then executed inside the functionFirstly, they are found by Yuri Kramarz of Security Advisory EMEAR and disclosed by Talos Intelligence In the file getImage.php , the parameter base64Url is ba64 decoded and then inserted to a command string without any validation or sanitization:Then the command is executed by the functionThis one is very similar to the vulnerability above, it resides in the file getImageMP4.php And also in the file getSpiritsFromVideo.php First, you could search for many YouPHPTube-Encoder instances by using BinaryEdge . Sorry but Shodan shows too few results in this case.Because our command is executed inside the function exec() , the result will not return in the HTTP response. However, we can use DNS exfiltration to get data from DNS requests. You can use your own DNS server or some free online services like DNSBin For example, let's useto make a DNS request with the result of the command inject to the subdomain I take from DNSBin:Then just see the result in the DNS log:The technique above is very stealthy but may be slow and complicated. If you want an easier and faster one, you can make a web shell to execute commands.Sometimes, the webserver is configured to disable dangerous functions in PHP by the directive. However, you can still bypass it with JSON serializer.I've written a blog post about it.Finally, if you don't mind that the admin detects you're exploiting his server, you can make a reverse shell connects directly back to your VPS.If you found it valuable, please share it with other people.If you have any questions, please don't hesitate to ask me on Twitter or leave a comment.Thank you for reading!