Exploit for Out-of-bounds Write in Gibbonedu Gibbon CVE-2023-45878

Name: Exploit for Out-of-bounds Write in Gibbonedu Gibbon CVE-2023-45878
Rating: 5 (62 reviews)
2025-04-13 | CVSS 9.8
## https://sploitus.com/exploit?id=143A14ED-AD79-5FF6-9262-9DE5FB55B4BB
# Gibbon CMS (CVE-2023-45878) Exploit

This Python script exploits CVE-2023-45878, an unauthenticated arbitrary file upload vulnerability in Gibbon CMS versions 25.0.1 and before, leading to Remote Code Execution (RCE).

## Vulnerability Description

CVE-2023-45878 exists in the `rubrics_visualise_saveAjax.php` endpoint of Gibbon CMS. This endpoint is vulnerable because it does not require authentication and allows arbitrary file writes.

The vulnerability arises from the following:

* **Unauthenticated Access:** The `rubrics_visualise_saveAjax.php` endpoint is accessible without any authentication.
* **Arbitrary File Write:** The endpoint takes `img`, `path`, and `gibbonPersonID` parameters.
    * The `img` parameter is expected to be a base64 encoded image.    * The `path` parameter, if provided, is used as the destination directory for the uploaded file, relative to the Gibbon installation directory.
    * The script decodes the base64 encoded content from the `img` parameter and writes it to a file within the specified `path`.
* **Remote Code Execution:** By crafting a malicious `img` parameter containing PHP code and specifying a `path` that is accessible via the web server, an attacker can upload a PHP webshell and achieve Remote Code Execution on the vulnerable server.

## Script Functionality

This Python script automates the exploitation of CVE-2023-45878. It performs the following actions:

1. **Uploads a PHP webshell:** It crafts a malicious request to `rubrics_visualise_saveAjax.php` to upload a PHP webshell. The webshell allows execution of arbitrary commands on the server.
2. **Verifies the shell (optional):** It can optionally verify if the uploaded shell is accessible and functional by sending a verification command (`whoami`) and checking for a specific tag in the response.
3. **Interactive shell (optional):** If the shell is verified, the script can enter an interactive mode, allowing you to execute commands directly on the target server through the webshell.## Usage

```bash
python exploit.py <target_url> [options]
```

**Arguments:**

* `<target_url>`:  The base URL of the target Gibbon CMS instance.  Include the full path if Gibbon is installed in a subdirectory (e.g., `http://example.com/gibbon/` or `https://sub.example.com`).**Options:**

* `-s <shell_path>`, `--shell-path <shell_path>`: Specify the desired path and filename for the uploaded shell (e.g., `images/shell.php`, `shell.php`, `uploads/backdoor.php`). If not provided, a random filename will be generated. **Warning:** Ensure the specified path is writable by the web server and accessible via the web.
* `-v`, `--verify`:  Attempt to verify if the uploaded shell is working after the upload.  This option sends a `whoami` command to the shell and checks for a specific tag in the response.
* `-i`, `--interactive`: Enter interactive shell mode after successful upload and verification (or if the shell already exists and is verified).

**Examples:**

* **Basic exploit with random shell name:**
  ```bash
  python exploit.py http://target.com/gibbon/
  ```

* **Exploit and specify shell filename `shell.php` in the root directory:**
  ```bash
  python exploit.py http://target.com/gibbon/ -s shell.php
  ```

* **Exploit, upload shell to `images/backdoor.php` and verify it:**
  ```bash
  python exploit.py http://target.com/gibbon/ -s images/backdoor.php -v
  ```

* **Exploit, upload shell, verify, and enter interactive mode:**
  ```bash
  python exploit.py http://target.com/gibbon/ -s shell.php -v -i
  ```

* **Enter interactive mode with an existing shell (if you know the shell path):**
  ```bash
  python exploit.py http://target.com/gibbon/ -s shell.php -i
  ```

## Requirements

* **Python 3**
* **`requests` library:**  Install using pip: `pip install requests`

## Disclaimer

This script is provided for educational and security testing purposes only.  Use it at your own risk and only against systems you have explicit permission to test.  The author is not responsible for any misuse or damage caused by this script.  Exploiting vulnerabilities without authorization is illegal and unethical.

## References

* [CVE-2023-45878](https://nvd.nist.gov/vuln/detail/CVE-2023-45878)
* [Herolab Security Advisory USD-2023-0025](https://herolab.usd.de/security-advisories/usd-2023-0025)