Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-4220 PoC — Chamilo LMS 安全漏洞

Source
https://github.com/0x00-null/-Chamilo-CVE-2023-4220-RCE-Exploit
Associated Vulnerability
Title:Chamilo LMS 安全漏洞 (CVE-2023-4220)
Description:Chamilo LMS是Chamilo协会的一套开源的在线学习和协作系统。该系统支持创建教学内容、远程培训和在线答题等。 Chamilo LMS v1.11.24 版本及之前版本存在安全漏洞,该漏洞源于 “/main/inc/lib/javascript/bigupload/inc/bigUpload.php”页面存在大文件上传功能存在不受限制的文件上传。
Description
(CVE-2023-4220) Chamilo LMS Unauthenticated Big Upload File Remote Code Execution
Readme
# (CVE-2023-4220) Chamilo LMS Unauthenticated Big Upload File Remote Code Execution 
## Overview

This repository contains a proof-of-concept (PoC) exploit for the vulnerability identified as **CVE-2023-4220** in **Chamilo LMS**. This exploit leverages an unauthenticated file upload vulnerability, allowing remote attackers to execute arbitrary code on the affected system.

**Disclaimer:** This code is for educational and research purposes only. The author is not responsible for any misuse of this code.

## Details
* **CVE ID:** CVE-2023-4220
* **Affected Software:** Chamilo LMS
* **Vulnerability Type:** Unauthenticated Remote Code Execution (RCE)
* **Severity:** Critical
* **Author:** Mohamed Kamel BOUZEKRIA
* **Tested On:** Chamilo 1.11.24 (Codename: Beersel, Release Date: 31/08/2023)

Chamilo LMS versions prior to this release are vulnerable to this issue. The vulnerability arises from improper validation and handling of file uploads, allowing attackers to upload and execute malicious files on the server.

## Exploit Description

This exploit targets the file upload functionality in Chamilo LMS. By crafting a malicious file containing PHP code and uploading it through an unauthenticated endpoint, an attacker can execute arbitrary commands on the server.

### Exploit Workflow:
1. **Step 1:** Upload a PHP web shell via the vulnerable file upload mechanism.
2. **Step 2:** Access the uploaded file through the web and execute arbitrary commands by passing them as parameters.

## Prerequisites
- Python 3.x installed on your system.
- Requests library: Install via pip install requests.

## Usage
### Step 1: Clone the Repository

```
git clone https://github.com/0x00-null/-Chamilo-CVE-2023-4220-RCE-Exploit.git
cd -Chamilo-CVE-2023-4220-RCE-Exploit
```

### Step 2: Run the Exploit

Run the exploit by passing the target URL and the command you wish to execute as arguments:

```
python exploit.py <target_url> <command>
```

### Example:

```
python exploit.py http://target-site/path-to-upload id
```

This command will:
1. Upload a PHP web shell to the specified target_url.
2. Execute the id command on the remote server through the uploaded shell.

### Expected Output

If successful, the script will output:
- Confirmation that the file was uploaded.
- The URL to access the web shell.
- The output of the executed command.

For example:

```
[+] File uploaded successfully!
[+] Access the shell at: http://target-site/uploads/shell.php?cmd=id
[+] Command Output: uid=33(www-data) gid=33(www-data) groups=33(www-data)
```

# License

This project is licensed under the MIT License.

# References
- [CVE-2023-4220 Details](https://nvd.nist.gov/vuln/detail/CVE-2023-4220)
https://starlabs.sg/advisories/23/23-4220/

# Contact

For any queries or issues, please open an issue on this repository or contact me at [medkamelbouzekria@hotmail.fr].
File Snapshot

 [4.0K]  /data/pocs/c14736966d094ae08a10ec8090fa45592aaa79f6
├── [2.9K]  exploit.py
├── [1.1K]  LICENSE
└── [2.8K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.