关联漏洞
标题:
Gibbon 安全漏洞
(CVE-2023-45878)
描述:Gibbon是一个解决教育工作者每天遇到的实际问题的学校平台。 GibbonEdu Gibbon 25.0.1版本存在安全漏洞,该漏洞源于允许未经身份验证的攻击者将任意文件上传到应用程序,并在底层系统上执行代码。
描述
PoC - Arbitrary File Write in Gibbon LMS for RCE (CVE-2023-45878)
介绍
# Gibbon LMS Arbitrary File Write / RCE
## Vulnerability Information
**Arbitrary File Write in Gibbon LMS for RCE (CVE-2023-45878)**<br><br>
GibbonEdu Gibbon LMS version 25.0.1 and earlier allows Arbitrary File Write because rubrics_visualise_saveAjax.php does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the path parameter is set, the defined path is used as the destination folder, concatenated with the absolute path of the installation directory. The content of the img parameter is base64 decoded and written to the defined file path. This allows creation of PHP files that permit Remote Code Execution (unauthenticated).
## References
- https://nvd.nist.gov/vuln/detail/CVE-2023-45878
- https://herolab.usd.de/security-advisories/usd-2023-0025/
## Description
This script provides a *pseudo*-interative shell. A single PHP is uploaded to the remote system and the local script provides a wrapper to interact with it directly. When a command is submitted, it returns the HTTP response from the PHP payload. In the event the payload file is removed from the remote system, the script will detect a 404 error page response, and perform a new upload and resubmit the last command.
## Usage
```python3 gibbonlms_cmd_shell.py url```
## Example
```python3 gibbonlms_cmd_shell.py http://example.com```
## Disclaimer
This script is provided for educational purposes. Please pwn responsibly.
文件快照
[4.0K] /data/pocs/01274eab27f41d5c777142aa8a6ba2387f9a5579
├── [2.6K] gibbonlms_cmd_shell.py
├── [1.0K] LICENSE
└── [1.5K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。