Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-12170 PoC — ATutor 代码问题漏洞

Source
https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File
Associated Vulnerability
Title:ATutor 代码问题漏洞 (CVE-2019-12170)
Description:ATutor是ATutor团队的一套开源的基于Web的学习内容管理系统(LCMS)。该系统包括教学内容管理、论坛、聊天室等模块。 ATutor 2.2.4及之前版本中存在任意文件上传漏洞。攻击者可借助备份组件利用该漏洞执行命令。
Description
ATutor 2.2.4 'Backup' Remote Command Execution (CVE-2019-12170)
Readme
# ATutor-Instructor-Backup-Exploit

- Exploit Title: ATutor 2.2.4 'Backup' Remote Command Execution (CVE-2019-12170)
- Google Dork: inurl:/ATutor/login.php
- Date: 5/13/2019
- Exploit Author: liquidsky (Joseph McPeters)
- Vendor Homepage: https://atutor.github.io/
- Software Link: https://sourceforge.net/projects/atutor/files/latest/download
- Version: < 2.2.4 (Versions 2.2.4 and prior seem to be affected)
- Tested on: Windows 7 with XAMPP / Linux 3.16.0-4-amd64 with version 2.2.4 and 2.2.1
- Authors Site: http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12170

ATutor 2.2.4 is vulnerable to arbitrary file uploads via the backup function that may result in remote command execution.

First login with the instructor account and select a course:

- #1 http://[atutor address]/atutor/bounce.php?course=1

Then navigate to "Manage"

- #2 http://[atutor address]/atutor/tools/index.php

Next select Backups/Upload

- #3 http://[atutor address]/atutor/mods/_core/backups/upload.php

From here a specially crafted backup zip file i.e "pwned_backup.zip" can be uploaded that will result in remote command execution.

The PoC arbitrary file can be found at:
http://[atutor address]/atutor/content/1/pwned/poc.PhP

or

C:\xampp\htdocs\ATutor\content\1\pwned\poc.PhP

Note: The "1" in the address will change based on the course number and the "content" directory may be different.
However by default the installation calls for the dir name to be "content". This has been tested on both linux/windows installations.

- A copy of the PoC zip file (pwned_backup.zip) can be downloaded: https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File

Screenshots included to show exact steps to successfully reenact exploit.

Update: There is no fix for this issue ATutor is no longer being maintained. [5/22/19]
        
- Directory traversal is also possible if the content directory is not in the webroot. 

For more information on a directory traversal proof of concept check out: https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit/
        
        CVE-2019-12170: https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File
        CVE-2019-12169: https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit
File Snapshot

 [4.0K]  /data/pocs/43b745977c21d6060d01062f9212649f694accec
├── [ 32K]  1_Atutor_Course.jpg
├── [ 41K]  2_Atutor_Manage.jpg
├── [ 20K]  3_Atutor_Backups.jpg
├── [ 34K]  4_Atutor_Upload.jpg
├── [ 22K]  5_Atutor_pwned_backup.jpg
├── [ 48K]  6_Atutor_restore.jpg
├── [ 43K]  7_Atutor_Success.jpg
├── [ 36K]  8_Atutor_Payload.jpg
├── [1.1K]  pwned_backup.zip
└── [2.3K]  README.md

0 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.