nil.enroll(aetheric_username, quantum_class_id) (adric) wrote,
nil.enroll(aetheric_username, quantum_class_id)
adric

Moodle sql injection works, milestone complete.

## Since the Moodle external enrollment database code doesn't work,
## we fall back to manual SQL injection for MySQL, eg:
        ## +insert into mdl_role_assignments (roleid,contextid,userid,hidden,timestart,timeend,
        ## timemodified,modifierid,enrol,sortorder) VALUES (5,14,10,0,NOW(),0,NOW(), 2, 'manual',0);+

        ##get Moodle context id
        context_id = CONTEXT_DICTIONARY[course_id]

        ## get a real MySQL handle, scary!
        mysql = ActiveRecord::Base.connection

        ### p "Debug: injecting mysql with payload of 5,#{context_id},#{user_id},0,unix_timestamp(),0,unix_timestamp(), 2, 'manual',0"

        injector = "insert into mdl_role_assignments (roleid,contextid,userid,hidden,timestart,timeend,timemodified,modifierid,enrol,sortorder) 
        VALUES (5,#{context_id},#{user_id},0,unix_timestamp(),0,unix_timestamp(), 2, 'manual',0);"


r175 | bsk | 2008-12-13 21:44:28 -0500 (Sat, 13 Dec 2008) | 1 line

even less debug. also, it seems to work on the dev data


That was a few hours, 15 deltas and a lot of documentation and fiddling ago.
Now I'm just screwing around with Trac.
Tags: rails
Subscribe

  • To not quote Ms. Spears...

    Oops? I managed to avoid keeping this one only by sheer force of willpower, and I could tell she was disappointed. *long drawn out sigh* We…

  • Hopped onto SL tonight and got some chat in, sideways

    ... at a funny angle with an @adj_list av I've 'known' for ages but don't know at all. We got a chance to talk for the first time in ages (or…

  • SL Renewal? Downgrade to Free

    Nets me a form to fill out: "You've decided to discontinue land ownership in Second Life, and it would help us a lot to understand why."…

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments