CVE-2016-2555
published 2017-04-13CVE-2016-2555: SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the…
PriorityP278critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
79.62%
99.6th percentile
SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the searchFriends function to friends.inc.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| atutor | atutor | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandsearch_friends POST parameter with SQL injection payload: "<rand_alpha>'/**/or/**/<sqli>/**/or/**/1='"↗
- →Monitor POST requests to connections.php containing SQL metacharacters (single quotes, comment sequences /**/) in the search_friends parameter, indicative of blind SQL injection attempts against the searchFriends function. ↗
- →Detect POST requests to /ATutor/mods/_core/modules/install_modules.php with multipart/form-data containing a ZIP file upload (modulefile field), which is the second stage of the exploit chain used to achieve RCE after SQL injection credential dumping. ↗
- →Alert on HTTP responses from ATutor connections.php containing 'There are \d entries.' pattern, which is the oracle response used by the blind SQL injection to enumerate data character by character. ↗
- →Detect GET requests to /ATutor/mods/<plugin_name>/<payload_name>.php with a custom HTTP header containing base64-encoded PHP payload, indicating webshell execution after successful upload. ↗
- →The exploit targets the searchFriends function via friends.inc.php; monitor for SQL injection patterns in any POST body parameter named search_friends_<single_char> directed at ATutor social/connections endpoints. ↗
- ·The Metasploit module requires valid credentials (student-level account) to reach the SQL injection endpoint; remote registration is enabled by default in ATutor 2.2.1, lowering the barrier to exploitation. ↗
- ·The default TARGETURI for the ATutor installation is '/ATutor/'; deployments at non-default paths will require adjustment of detection rules targeting specific URI patterns. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ATutor 2.2.1 - SQL Injection / Remote Code Execution (Metasploit)
exploitdb·2016-03-01
CVE-2016-2555 ATutor 2.2.1 - SQL Injection / Remote Code Execution (Metasploit)
ATutor 2.2.1 - SQL Injection / Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'ATutor 2.2.1 SQL Injection / Remote Code Execution',
'Description' => %q{
This module exploits a SQL Injection vulnerability and an authentication weakness
vulnerability in ATutor. This essentially means an attacker can bypass authenication
and reach the administrators interface where they can upload malcious code.
You are required to login to the target to reach the SQL Injection, however this
can be done as a student account and remote registration is enabled by default.
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me ', # initial discovery
Metasploit
ATutor 2.2.1 Directory Traversal / Remote Code Execution
metasploit
ATutor 2.2.1 Directory Traversal / Remote Code Execution
ATutor 2.2.1 Directory Traversal / Remote Code Execution
This module exploits a directory traversal vulnerability in ATutor on an Apache/PHP setup with display_errors set to On, which can be used to allow us to upload a malicious ZIP file. On the web application, a blacklist verification is performed before extraction, however it is not sufficient to prevent exploitation. You are required to login to the target to reach the vulnerability, however this can be done as a student account and remote registration is enabled by default. Just in case remote registration isn't enabled, this module uses 2 vulnerabilities in order to bypass the authentication: 1. confirm.php Authentication Bypass Type Juggling vulnerability 2. password_reminder.php Remote Password Reset TOCTOU vulnerability
Metasploit
ATutor 2.2.1 SQL Injection / Remote Code Execution
metasploit
ATutor 2.2.1 SQL Injection / Remote Code Execution
ATutor 2.2.1 SQL Injection / Remote Code Execution
This module exploits a SQL Injection vulnerability and an authentication weakness vulnerability in ATutor. This essentially means an attacker can bypass authentication and reach the administrator's interface where they can upload malicious code.
arXiv
LLM-Enhanced Software Patch Localization
arxiv_fulltext·2024-09-13
LLM-Enhanced Software Patch Localization
LLM-Enhanced Software Patch Localization
[1]Jinhong Yu
[2,3]Yi Chen
[2]Di Tang
[1]Xiaozhong Liu
[2]XiaoFeng Wang
[4]Chen Wu
[2]Haixu Tang
[1]Worcester Polytechnic Institute
[2]Indiana University Bloomington
[3]The University of Hong Kong
[4]Microsoft
## Abstract
Open source software (OSS) is integral to modern product development, and any vulnerability within it potentially compromises numerous products. While developers strive to apply security patches, pinpointing these patches among extensive OSS updates remains a challenge. Security patch localization (SPL) recommendation methods are leading approaches to address this. However, existing SPL models often falter when a commit lacks a clear association with its corresponding CVE, and do not consider a scenario that a vulnerability has
arXiv
On generating network traffic datasets with synthetic attacks for intrusion detection
arxiv_fulltext·2019-05-01
On generating network traffic datasets with synthetic attacks for intrusion detection
[On generating network traffic datasets with synthetic attacks for intrusion detection]On generating network traffic datasets with synthetic attacks for intrusion detection
Carlos Garcia Cordero
Technische Universität Darmstadt
Telecooperation Group
Darmstadt
Hessen
64289
Germany
Emmanouil Vasilomanolakis
Aalborg University
Electronic Systems, Center for Communication, Media and Information technologies
Copenhagen
2450
Denmark
Aidmar Wainakh
Max Mühlhäuser
Technische Universität Darmstadt
Telecooperation Group
Darmstadt
Hessen
64289
Germany
Simin Nadjm-Tehrani
Linköping University
Real-time Systems Laboratory
Linköping
S-581 83
Sweden
## Abstract
Most research in the area of intrusion detection requires datasets to develop, evaluate or compare systems in one way or another. In th
http://sourceincite.com/research/src-2016-08/http://www.rapid7.com/db/modules/exploit/multi/http/atutor_sqlihttps://github.com/atutor/ATutor/commit/629b2c992447f7670a2fecc484abfad8c4c2d298https://github.com/atutor/ATutor/commit/945a9dca01def8536516088da30fe6a4b7e9fa85https://www.exploit-db.com/exploits/39514/http://sourceincite.com/research/src-2016-08/http://www.rapid7.com/db/modules/exploit/multi/http/atutor_sqlihttps://github.com/atutor/ATutor/commit/629b2c992447f7670a2fecc484abfad8c4c2d298https://github.com/atutor/ATutor/commit/945a9dca01def8536516088da30fe6a4b7e9fa85https://www.exploit-db.com/exploits/39514/
2017-04-13
Published