Good Evening friends. Today we will see how to exploit a vulnerability in the recent version of a popular program Atutor with Metasploit. This vulnerability exists in the most recent version released, i.e Atutor 2.2.1. For those newbies who don’t know what is atutor, it is an Open Source Web-based Learning Content Management System (LCMS) designed with accessibility and adaptability in mind. It boasts of 216 downloads per week from Sourceforge itself. There are two vulnerabilities present in the version mentioned above. We will exploit a SQL injection vulnerability in this howto. So let’s get onto hacking atutor 2.2.1 with Metasploit. Start Metasploit and load the exploit as shown below.
Set the required options. For present, we will only need the target IP address. Check if your target is vulnerable or not as shown below.
Type command “show payloads” and choose the required payload. I chose the payload below. Once again, type command “show options” and set the attacker system’s( i.e our system’s ) IP address which I am not gonna show below.
Run the exploit by typing command “run”. The exploit will run and a command shell will be opened into the target system as shown below. ( Watch out for the easter egg which we will use in our future howto’s).
To know about the target system, type commands as shown below. Happy hacking.