Bangyong PM2 SQL Injection Scanner

Bangyong PM2 is a project management software used by organizations to manage and streamline their project workflows. Developed by Beijing Bangyong Technology Co., Ltd., it is designed to assist project managers in planning, monitoring, and executing projects. With investment backing from IDG Capital, Intel Corporation, and Morgan Stanley, the software has gained prominence as a robust solution for project management. The software is typically used in corporate environments where efficient management of tasks, resources, and timelines are crucial. Bangyong PM2 supports various modules that integrate project management tasks with advanced reporting and analytics.

The SQL Injection vulnerability identified in Bangyong PM2 affects the Global_UserLogin.aspx interface due to improper input validation. This vulnerability results from concatenating user inputs directly into SQL query statements without effective filtering. An attacker can exploit this SQL Injection to manipulate database queries, potentially gaining unauthorized access to sensitive data. Such vulnerabilities can lead to severe security breaches, compromising data integrity and confidentiality.

The vulnerability specifically lies in the Global_UserLogin.aspx interface, where user-supplied input is not adequately sanitized. This input is concatenated into the SQL queries executed by the backend database. An attacker can craft malicious input to alter SQL queries, effectively bypassing authentication mechanisms or accessing unauthorized data. The vulnerability is confirmed when input like 'waitfor delay '0:0:6' --' causes a delay, indicating SQL execution.

If exploited, this vulnerability can have dire consequences for organizations using Bangyong PM2. Malicious actors could exploit this flaw to retrieve, alter, or delete sensitive information from the database. This could lead to information leaks, data loss, or unauthorized access to user accounts. The organization's reputation may also suffer, and financial losses may occur due to data breaches and subsequent regulatory fines.