Multiple SQL injection vulnerabilities in Loki download manager 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) password field to default.asp or (2) cat parameter to catinfo.asp.