## https://sploitus.com/exploit?id=D473847F-5FA3-51E8-A587-A3A49B60B28F
# (CVE-2023-4220) Chamilo LMS Unauthenticated Big Upload File Remote Code Execution
## Overview
This repository contains a proof-of-concept (PoC) exploit for the vulnerability identified as **CVE-2023-4220** in **Chamilo LMS**. This exploit leverages an unauthenticated file upload vulnerability, allowing remote attackers to execute arbitrary code on the affected system.
**Disclaimer:** This code is for educational and research purposes only. The author is not responsible for any misuse of this code.
## Details
* **CVE ID:** CVE-2023-4220
* **Affected Software:** Chamilo LMS
* **Vulnerability Type:** Unauthenticated Remote Code Execution (RCE)
* **Severity:** Critical
* **Author:** Mohamed Kamel BOUZEKRIA
* **Tested On:** Chamilo 1.11.24 (Codename: Beersel, Release Date: 31/08/2023)
Chamilo LMS versions prior to this release are vulnerable to this issue. The vulnerability arises from improper validation and handling of file uploads, allowing attackers to upload and execute malicious files on the server.
## Explanation:
- Target URL Handling: The script now properly handles the base target URL and constructs the full path to the upload endpoint and the shell file.
- Modular Design: The script is split into two main functions, upload_shell() and execute_command(), making it easier to follow and maintain.
- User Input: Users can specify the name of the shell file to be uploaded with the --shell argument. The default is rce.php.
## Exploit Description
This exploit targets the file upload functionality in Chamilo LMS. By crafting a malicious file containing PHP code and uploading it through an unauthenticated endpoint, an attacker can execute arbitrary commands on the server.
### Exploit Workflow:
1. **Step 1:** Upload a PHP web shell via the vulnerable file upload mechanism.
2. **Step 2:** Access the uploaded file through the web and execute arbitrary commands by passing them as parameters.
## Prerequisites
- Python 3.x installed on your system.
- Requests library: Install via pip install requests.
## Usage
### Step 1: Clone the Repository
```
git clone https://github.com/0x00-null/Chamilo-CVE-2023-4220-RCE-Exploit.git
cd Chamilo-CVE-2023-4220-RCE-Exploit
```
### Step 2: Run the Exploit
Run the exploit by passing the target URL and the command you wish to execute as arguments:
```
python exploit.py <target_url> <command>
```
### Example:
```
python3 exploit.py http://lms.target-site/ id --shell=my_shell.php
```
This command will:
1. Upload a PHP web shell to the specified target_url.
2. Execute the id command on the remote server through the uploaded shell.
### Expected Output
If successful, the script will output:
- Confirmation that the file was uploaded.
- The URL to access the web shell.
- The output of the executed command.
For example:
```
[+] File uploaded successfully!
[+] Access the shell at: http://lms.target-site/main/inc/lib/javascript/bigupload/files/my_shell.php?cmd=
[+] Command Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
# License
This project is licensed under the MIT License.
# References
- [CVE-2023-4220 Details](https://nvd.nist.gov/vuln/detail/CVE-2023-4220)
https://starlabs.sg/advisories/23/23-4220/
# Contact
For any queries or issues, please open an issue on this repository or contact me at [medkamelbouzekria - at - gmail -dot - com].