cbcvebase.
CVE-2016-2555
published 2017-04-13

CVE-2016-2555: SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the…

PriorityP278critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
79.62%
99.6th percentile
SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the searchFriends function to friends.inc.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
atutoratutor

Detection & IOCsextracted from sources · hover to see the quote

url/ATutor/mods/_standard/social/connections.php
url/ATutor/mods/_core/modules/install_modules.php
url/ATutor/login.php
pathinclude/lib/mysql_connect.inc.php
cookieATutorID
commandsearch_friends POST parameter with SQL injection payload: "<rand_alpha>'/**/or/**/<sqli>/**/or/**/1='"
commandselect/**/concat(login,0x3a,password)/**/from/**/AT_admins/**/limit/**/0,1
  • Monitor POST requests to connections.php containing SQL metacharacters (single quotes, comment sequences /**/) in the search_friends parameter, indicative of blind SQL injection attempts against the searchFriends function.
  • Detect POST requests to /ATutor/mods/_core/modules/install_modules.php with multipart/form-data containing a ZIP file upload (modulefile field), which is the second stage of the exploit chain used to achieve RCE after SQL injection credential dumping.
  • Alert on HTTP responses from ATutor connections.php containing 'There are \d entries.' pattern, which is the oracle response used by the blind SQL injection to enumerate data character by character.
  • Detect GET requests to /ATutor/mods/<plugin_name>/<payload_name>.php with a custom HTTP header containing base64-encoded PHP payload, indicating webshell execution after successful upload.
  • The exploit targets the searchFriends function via friends.inc.php; monitor for SQL injection patterns in any POST body parameter named search_friends_<single_char> directed at ATutor social/connections endpoints.
  • ·The Metasploit module requires valid credentials (student-level account) to reach the SQL injection endpoint; remote registration is enabled by default in ATutor 2.2.1, lowering the barrier to exploitation.
  • ·The default TARGETURI for the ATutor installation is '/ATutor/'; deployments at non-default paths will require adjustment of detection rules targeting specific URI patterns.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.