Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22513
HistorySep 24, 2009 - 12:00 a.m.

Engeman - SQL Injection Vulnerability (vendor url erratum)

2009-09-2400:00:00
vulners.com
36
JSON

Engeman is a Brasilian software for maintenance control.

Version tested: 6.x.x and prior. Next versions appears vulnerable too.

The attacker can inject sql codes in username textbox:

SQL dump affter injection:

select nome,senha,diasexp,dataltsen,permitetroca from cfgusr where nome='NULL' OR NOME<>'1'

select nomegrupo from cfgusr where ignoragrupo='N' and nome='NULL' OR NOME='1'

In firebird the attack have a low impact, but in SQL Server may compromisse the server.

**** The version tested is a made in DELPH language, NOT is a Web Software!****

Vendor site: www.engeman.com.br.

Plase, give the credits to: Crash and Sl0t - DcLabs

TrankΒ΄s.

JSON